heavy attacks - cagefs didnt help
Hi everyone
hope i can find some things i didn't try here
i have a customer who rents a vps with cloudlinux and cpanel
cagefs is on
modsecurity is on with owasp rulesets manually installed
execcgi + indexes are off
maldet is scanning
rkhunter is scanning
free nginxcp latest version 4.8 is installed
the server suffers from:
sql injections (usernames in wp_users being changed)
script injections (base64)
symlinks
and worst of all a sub-domain was added to an account
including dns and http settings -
this subdomain held a phishing paypal site
and we have found out about via abuse team on our collocation
my first question is -
what good does cagefs does if symlinks are done on the servers?
how can i prevent running of any base64 scripts?
thanks in advance
:mad: i'm desperate and most of all disappointed of cloudlinux and their so called "cagefs"
-
The things You are writing about have nothing to do with CageFS. The same "security" You'll have when You put Your root password on Facebook ... SQL injection is customers problem (not weak system, but weak programmers). Base64 scripts are injected common by stealing password from TotalCommander - this is customers security problem too. Not CageFS or CloudLinux. 0 -
Hello :) One of the best things you can do is to ensure the applications that your customers install onto their websites are up to date. Most attacks are on outdated scripts where known exploits are available. Thank you. 0 -
He is absolutely right, CageFS is useless. I have more than 40 accounts on a shared server, they started falling under phishing whatever one after one. now all of them are infected. KNOWING that, 13 accounts have no files, no databases, no email accounts, just empty for later use. I'm 99% sure that the fraud files are spreading on accounts. this is happening to me since January, I have done every possible things, passwords change use pass generator, formatted my pc, latest kaspersky antivirus, I don't save any password in the browser, etc... for over 5 months I'm suffering from this. 0 -
Keep in mind that you may need to consult with a qualified system administrator or security specialist if you are concerned about the security of your system and are unable to pinpoint any particular source for the attack. Thank you. 0 -
I am using and handled lots of cagefs enabled server and the problem mentioned by psytanium is more related to the website and programming related which allow hacker to manipulate with your database and files, still you can stop symbolic links by select Symlink Race Condition Protection from the Exhaustive Options list during the EasyApache build process. also when you use cagefs you should know how to configure it more stronger according to your needs To change GID of processes that cannot follow symlink, edit file /etc/sysctl.conf, add line: fs.symlinkown_gid = XX more on open /etc/sysctl.conf and look for /add below line fs.enforce_symlinksifowner = 1 And execute $ sysctl -p 365hostingsupport 0 -
@ Nadav.. see: [url=http://docs.cloudlinux.com/index.html?securelinks.html]CloudLinux Documentation Article describes that Apache runs with id 99 so this is 'standard' added at the end of the file: /etc/sysctl.conf fs.symlinkown_gid = 99 # CageFS fs.proc_can_see_other_uid=0 fs.suid_dumpable=1 Same for symlinksif owner, a default install of CL will make sure it is enabled. See thread below for command to check if enabled: $ sysctl -a|grep symlink 0
Please sign in to leave a comment.
Comments
6 comments