How to setup Litespeed LSWS for a shared environment?

grniyce · Mar 27, 2009

Is there a subject matter expert that can guide me on how to setup LSWS for a secure shared webserver. I know that is a blind request, but let me explain what happened in the past. I host some friends and so forth. We one friend shared his cpanel with his partner whom had his identity stolen. Then this unknown decided to upload some script which allowed him to gain access to the root of the server, and virtually deleted everthing; leaving me with a ton of refunds and headaches for over a month. I was using LSWS at the time, however I don't know why mod_security didn't catch the script.

Please tell me what you need to know to give me the information I need, and I will provide it.

IrPr · Mar 28, 2009

grniyce said:

mod_security defects some malicious scripts but there is a lot of CGI/PHP shells which mod_security couldnt detect, r57 phpshell for example

to secure your shared hosting you have to secure php in parallel of webserver/mod_security

all php shells are based on some malicious functions such as exec, system, passthru, shell, shell_exe, ... which should be disabled for security reasons, so all phpshells would be killed on your server

open_basedir is one of most important options should be set for each VHost which will jail php functions into VH's documentroot, so functions such as fopen, readdir and another file functions would be restricted just to the same VH and not available to another VHs

safe_mode and suhosin are another tricks to increase php security

IrPr · Mar 28, 2009

IrPr said:

Just want to mention that its very hard to escalate nobody prvileges to root using PHP, indeed most of local privilege escalation to root need suitable shell environment such as bash/bin, so you should disable shell access too

i suggest you install http://www.configserver.com/cp/csf.html firewall which is a powerfull firewall compatible with mod_security audits with a lot of security measures
after you installed CSF go and Check your server security, it will tell you your security score and how to increase your server security to highest level

grniyce · Mar 28, 2009

I have mod_security installed and referenced in httpd.conf.
I also have Enable Request Filtering set to Yes In LSWS.
I have CSF installed and configured with a score of 111 out of 117.

IrPr, you stated php in parallel of webserver/mod_security. If the above is true, would I be meeting that goal?

Also... you stated the malicious functions. Can you explain to me which ones I should apply, and if they go in php.ini disable_functions=blah, blah, blah?

I do have open_basedir turned off in WHM.
Safe_mode gives some errors with the bulletin boards that I run, as does suhosin.

Any other suggestions?

IrPr · Mar 29, 2009

grniyce said:

For PHP there are some security measures in CSF Server security check such as open_basedir, disable_functions, enable_dl

What mod_security rules are you using? you can find some up2date rules from http://www.gotroot.com/tiki-index.php?page=mod_security+rules

Mod_security audit_log has been implemented in LSWS 4.0 also, you can set your audit_log path in CSF and check for security logs there which is very userfriendly, or set LFD rules in your CSF configuration to block attackers automatically

grniyce said:

Yes, using disable_functions directive in php.ini

I disabled these functions on my shared servers:

Code:

fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,shell_exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid

various functions disabled but it kills all of phpshells/exploits and all of my scripts are working as well, you may remove some functions if it breaks your scripts

you can disable posix functions in php configure script using '--disable-posix' too

grniyce said:

turned off? you mean open_basedir protection has been enabled in WHM -> Security Center -> Tweak PHP open_basedir Security ?

grniyce said:

You can turn safe_mode on globally and turn if off individually for each VH using php_admin_value safe_mode 0 directive in VirtualHost section in httpd.conf

for suhosin i use this values in php.ini:

Code:

[suhosin]
extension=suhosin.so
suhosin.post.max_vars = 1024
suhosin.request.max_vars = 1024
suhosin.get.max_value_length = 1024

grniyce said:

We know Litespeed is awesome in performances, but there is alot of security features in LSWS either!

To increase your CGI security you may re-install LSWS with chroot enabled but it may break some scripts, however its working like a charm for me

Also you can secure your server for DDoS attacks, check this out: http://www.litespeedtech.com/library/howto/#qa_dos

I suggest you restrict your SSH and WHM daemons only to your own IP addresses if its static, or to your range if dynamic in WHM -> Security Center -> Host Access Control
If you allow your own IP addresses and DENY ALL no one can access into your server even with root pw!

Also upgrade to mysql5 if you are on mysql4, there are vulnerabilities in mysql4 which attacker can bypass open_basedir and access files out of its home, there is a lot of performances in mysql5 either

Now you may upload some phpshells and make sure they are fully killed
common phpshells are available here: www[dot]shellci[dot]biz

Good luck

grniyce · Mar 29, 2009

I did everything you said and then I had a friend find some of the most common scripts that cause trouble, and we uploaded them to a mock site we setup and they were stopped dead in their tracks. Furthermore, CSF blocked the ip's automatically via LFD. I am truly amazed and overwhelmingly thankful for your help!

The only question I have is:

I signed up on that site, but how would I import/apply these rules? I have WHM and the latest CSF.
http://downloads.prometheus-group.com/delayed/rules/modsec-2.5-free-latest.tar.gz

Thank you once again for your contribution. I cannot say how thankful I am in words.

Sincerely blessed from receiving your help,

Anthony Jordan

DraCoola · Apr 1, 2009

Still no luck.
Because fantastico need php_uname, shell_exec, and system are enable on php.ini.
So the c99 can ls, ls -al, and cat accross to other vhost again

Tony · Apr 1, 2009

DraCoola said:

Fantastico should be using cPanel's PHP not the system one. So you should not have to enable those functions for fantastico to work properly. If it's using the system PHP you should run /scripts/makecpphp and it'll rebuild the cpanel php.

IrPr · Apr 1, 2009

grniyce said:

Welcome dude

About mod_sec rules im using JIT and rootkit right now, but i think Tony is more familar with those rules

DraCoola said:

Tony said:

Fantastico uses the main php.ini file located /usr/local/lib/php.ini while LS uses LSPATH/lsphpx/lib/php.ini by default

PS: I strongly suggest disabling Fantastico if you can because of lots of vulnerabilities
Examples: http://www.milw0rm.com/exploits/6461 or http://www.milw0rm.com/exploits/6897

DraCoola · Apr 1, 2009

Tony said:

Thank you for explanation.
Could you told me the path for system php.ini?

DraCoola · Apr 1, 2009

IrPr said:

Welcome dude

About mod_sec rules im using JIT and rootkit right now, but i think Tony is more familar with those rules

system or cPanel PHP, Fantastico uses the main php.ini file located /usr/local/lib/php.ini while LS uses LSPATH/lsphpx/lib/php.ini by default

PS: I strongly suggest disabling Fantastico if you can because of lots of vulnerabilities
Examples: http://www.milw0rm.com/exploits/6461 or http://www.milw0rm.com/exploits/6897

got that!
thanks

Tony · Apr 1, 2009

IrPr said:

If the user is using cPanel and used the build matching PHP they'd use /usr/local/lib/php.ini which matches the CLI built by cPanel.

cPanel's PHP which would be used by Fantastico since the installer runs within the cPanel system would be /usr/local/cpanel/3rdparty/etc/php.ini . The cPanel PHP can be found at /usr/local/cpanel/3rdparty/bin/php and is used by anything PHP related ran within WHM or cPanel.

DraCoola · Apr 1, 2009

But... after I edit /usr/local/lib/php.ini, it always changed for the phpinfo() value on /home/user/public_html/phpinfo.php
Is there something wrong with my installation?
I am still using the old php 5.2.8 from cpanel.

IrPr · Apr 1, 2009

Tony said:

If the user is using cPanel and used the build matching PHP they'd use /usr/local/lib/php.ini which matches the CLI built by cPanel.

cPanel's PHP which would be used by Fantastico since the installer runs within the cPanel system would be /usr/local/cpanel/3rdparty/etc/php.ini . The cPanel PHP can be found at /usr/local/cpanel/3rdparty/bin/php and is used by anything PHP related ran within WHM or cPanel.

right, thanks for correction

i always build lsphp myself

IrPr · Apr 1, 2009

DraCoola said:

ls -als /usr/local/lib/php.ini /usr/lib/php.ini /opt/lsws/lsphp5/lib/php.ini
i thinks its linked into lsphp's php.ini or vv

IrPr · Apr 1, 2009

IrPr said:

Take a look here
http://209.85.129.132/search?q=cach...?t=754373&cd=1&hl=en&ct=clnk&client=firefox-a

Damn WHT hacked

DraCoola · Apr 1, 2009

Tony said:

I check for /usr/local/cpanel/3rdparty/etc/php.ini and found that disable_functions are totally empty there.

@IrPr :

root@xxxxx [/home]# ls -als /usr/local/lib/php.ini /usr/lib/php.ini /opt/lsws/lsphp5/lib/php.ini
/bin/ls: /opt/lsws/lsphp5/lib/php.ini: No such file or directory
0 lrwxrwxrwx 1 root root 22 Feb 15 12:07 /usr/lib/php.ini -> /usr/local/lib/php.ini
40 -rw-r--r-- 1 root root 40218 Apr 1 08:21 /usr/local/lib/php.ini

IrPr · Apr 1, 2009

DraCoola said:

I check for /usr/local/cpanel/3rdparty/etc/php.ini and found that disable_functions are totally empty there.

@IrPr :

root@xxxxx [/home]# ls -als /usr/local/lib/php.ini /usr/lib/php.ini /opt/lsws/lsphp5/lib/php.ini
/bin/ls: /opt/lsws/lsphp5/lib/php.ini: No such file or directory
0 lrwxrwxrwx 1 root root 22 Feb 15 12:07 /usr/lib/php.ini -> /usr/local/lib/php.ini
40 -rw-r--r-- 1 root root 40218 Apr 1 08:21 /usr/local/lib/php.ini

Using lsws? whats your loaded php.ini path in phpinfo() ?

DraCoola · Apr 1, 2009

IrPr said:

/usr/local/lib/php.ini

But it is super worked now after running /scripts/makecpphp
Thank you for your all of disable_functions values

DraCoola · Apr 1, 2009

But still curious on how to enable the pure phpsuexec to this LS-Cpanel.
Because I think the security of LS will totally null if any user still can walk around to other users teritories.

It is just as the same as php-DSO (nobody), which username means nothing to php security.

How to setup Litespeed LSWS for a shared environment?

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member