ISPConfig 3 security

Discussion in 'Installation/Configuration' started by iceget, Oct 10, 2013.

  1. iceget

    iceget Member

    hello peoples,

    i have a question about the webserver security.

    in my global php.ini i have disabled the following functions:
    dl,passthru,proc_open,proc_close,shell_exec,system,popen,mail,exec

    i have test with the exec in php to Change or view other Websites on
    /var/www. so with this setup, the webserver is secure.

    but my mainproblem is; i need imagemagick for typo3 installations,

    imagemagick needs php exec. but if i allow exec, i can change Show
    each web, ... change files, view files, ...

    safemode is in php 5.3 deprecated and in 5.4 removed...

    no the question:
    how i can secure my webserver so that no other customer (in example that the customer Need imagemagick) can change or infect the other webs via exec command?


    please help.

    thanks

    many greets
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    If you use php mode php-fcgi or php-fpm together with suexec, then all php scripts in a website are run under the web user of this site. All external programs like imagemagick that you run with exec, are run under the website user too then.

    As each website has its own user (web1, web2, web3 etc.) and each client has its own group, a php user from one site of client a will not be able to read files of other sites of other clients when the files are not world readable.

    For example:

    If you set the database connections details in a file, lets call it config.php in web1 to "chmod 750", then a user of web 2 will not be able to read its content with exec if both sites use suexec.
     
  3. iceget

    iceget Member

    hello till,

    thank you.

    but i have another question:

    i have deleted all files from a Webspace (on this Server where all!! is disabled (System exec, shellexec, passthur...) but a few days later, i have a few files in the root of this Webspace with "infected trojan"...

    now the main question: how works that?

    the Password was changed 3 times (ssh Password) no ftp or ssh Access is active for this web...

    what i can do that i find out from where this files come?

    malted detect this files as trojan....

    thanks
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Which user owns the files? Were there really no files in the "web" folder of the site before the trokjan files were added? post the output of:

    ls -la /var/www/domain.tld/
     
  5. iceget

    iceget Member

    hello till,

    [email protected]:/var/www# ls -lsa /var/www/domain.com
    0 lrwxrwxrwx 1 root root 31 28. Jun 11:40 /var/www/domain.com -> /var/www/clients/client6/web11/
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You missed the leading / in the path of the ls command, ls will display different data without it.
     
  7. iceget

    iceget Member

    im sorry:

    [email protected]:/var/www# ls -la domain.com/
    insgesamt 124
    drwxr-xr-x 9 root root 4096 28. Jun 11:40 .
    drwxr-xr-x 5 root root 4096 28. Jun 11:53 ..
    drwxr-xr-x 2 web11 client6 4096 28. Jun 11:40 cgi-bin
    drwxr-xr-x 2 root root 4096 11. Okt 09:16 log
    drwx--x--- 2 web11 client6 4096 28. Jun 11:40 private
    drwxr-xr-x 2 root root 4096 9. Jul 11:49 ssl
    drwxrwxrwx 2 web11 client6 90112 10. Okt 16:40 tmp
    drwx--x--- 20 web11 client6 4096 10. Okt 23:05 web
    drwx--x--- 2 web11 client6 4096 28. Jun 11:40 webdav
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The permissions of the web directory are ok, only the user web1 and the root user can put files there.

    - Which owner did the infected files had that you found in the web folder?
    - was the web folder really empty (no php or cgi files inside) before the trojan files were added?
     
  9. iceget

    iceget Member

    thanks till, i have found the Problem. a ssh user with to much privileges had Access to the Server!

    now i have changed all Passwords.

    many greets
     

Share This Page