LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 12-22-2012, 11:08 AM   #1
Ijustdontloveyounomore
LQ Newbie
 
Registered: Dec 2012
Posts: 3

Rep: Reputation: Disabled
prevent uploaded file execution


Hi to all,
First time here so,forgive me please if i mistakenly created this question in wrong place.
Also sorry for my Bad English.(Not native) But i'm trying to be more clear as i can maximally.


I have question regarding Apache Web server.

I'm running:

Linux debian 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686 GNU/Linux

Code:
root@debian:/var/www/somecustomuser# ls -l
total 536
---------------------SNIP----------------------
-rwxrwx---  1 somecustomuseruser www-data     23 Nov 29 22:27 test1.php
-rw-r--r--  1 www-data    www-data     23 Dec 22 11:48 thisfile.php
--------------------END SNIP---------------

All files and folders recursively chmod'ed to my another user named: somecustomuseruser under /var/www/somecustomuser.
Also theris safe_mode is ON so default uid checking plays here.
But problem in that if someone (hacker/attacker/scriptkiddie) somehow will manage to upload "shell" via HTTP that
uploaded will belong to www-data <-- user not to -->somecustomuseruser.

Notice uploaded file (thisfile.php)

If so ---> *I want to prevent that uploaded file execution*.

Once again to be clear: How i can prevent *uploaded file execution automatically* (something like Cpanel Hulk way?)
Do i need setfacl(ACL) way to solve this?Or may be theris another ways?

Thanks in advance.

Last edited by Ijustdontloveyounomore; 12-22-2012 at 11:08 AM. Reason: code tags
 
Old 12-22-2012, 06:24 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Originally Posted by Ijustdontloveyounomore View Post
But problem in that if someone (hacker/attacker/scriptkiddie) somehow will manage to upload "shell" via HTTP that uploaded will belong to www-data <-- user not to -->somecustomuseruser.
No, that is not the first problem: that is denying unauthorized uploading. In short: proper system maintenance, host and service hardening first, and only then think about additional measures.


Quote:
Originally Posted by Ijustdontloveyounomore View Post
*I want to prevent that uploaded file execution*.
Once again to be clear: How i can prevent *uploaded file execution automatically*
Such a file gets executed because the web server can read its contents and match it with the right interpreter to run it with. One way could be to use suPhp or a httpd.conf LocationMatch or .htaccess denying file read or execution but again, if no proper host hardening was performed first this'll be like tilting at windmills. If you would like to know more tell us what application versions you run and what hardening you have performed already.


Quote:
Originally Posted by Ijustdontloveyounomore View Post
something like Cpanel Hulk way?
No, that seems to handle "Brute Force Protection". Obviously only a marketing department will describe something as "much anticipated" what a standard installed feature does already (PAM, that is).
 
1 members found this post helpful.
Old 12-23-2012, 05:03 AM   #3
Ijustdontloveyounomore
LQ Newbie
 
Registered: Dec 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Dear unSpawn,
Thank you very much for your reply.

Basically it is not production server.I setup it on my own computer (virtualbox)
I also did port forwarding to serve incoming requests to port 80.So apache is accessible from Internet too.
I'm a bit familiar with penetration testing) So i also tested using "shells" to test my server security.

http://imageshack.us/scaled/landing/822/separate.png

I disabled cgi ,ssi modules especially.Because in such configuration (what i have now) local attacker can
bypass and execute operation system commands.

and

I hardened/separated users by applying open_basedir_restriction too.
A bunch of php functions also disabled(except few).

I disabled also mysql.allow_local_infile=off because theris chance that an attacker can read others configs using this way.

But all this is not enough.In future i'm planning to separate uid/gid's too for every "client".This will harden completely web server.(I think And i hope)(But never done by me)
Also i'm using clamav to find out "shells"/backdoors.


Do i need to harden it a bit?


If i'll use suPhp can i prevent that HTTP uploaded file execution?(I'm sorry for my stupid questions-I never used suPhp.
But RTFM i think can light me to the right direction )

Thank you very much!
Sorry for my English


Code:
root@debian:/etc/apache2/sites-enabled# ps aux|grep apach*
root      1164  0.1  0.5  34432  7960 ?        Ss   05:10   0:00 /usr/sbin/apache2 -k start
www-data  1186  0.0  0.2  34432  4132 ?        S    05:10   0:00 /usr/sbin/apache2 -k start
www-data  1187  0.0  0.2  34432  4128 ?        S    05:10   0:00 /usr/sbin/apache2 -k start
www-data  1189  0.0  0.2  34432  4128 ?        S    05:10   0:00 /usr/sbin/apache2 -k start
www-data  1190  0.0  0.2  34432  4128 ?        S    05:10   0:00 /usr/sbin/apache2 -k start
www-data  1191  0.0  0.2  34432  4128 ?        S    05:10   0:00 /usr/sbin/apache2 -k start
root      2166  0.0  0.0   3308   784 pts/0    S+   05:18   0:00 grep apach*



root@debian:/usr/sbin# apache2ctl -V
Server version: Apache/2.2.16 (Debian)
Server built:   Nov 30 2012 08:33:45
Server's Module Magic Number: 20051115:24
Server loaded:  APR 1.4.2, APR-Util 1.3.9
Compiled using: APR 1.4.2, APR-Util 1.3.9
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"



root@debian:/usr/sbin# apache2ctl -M
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 mime_module (shared)
 security2_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 status_module (shared)
 unique_id_module (shared)
Syntax OK


root@debian:/etc/apache2# ls -l
total 92
-rw-r--r-- 1 root root  7994 Sep  9 17:17 apache2.conf
drwxr-xr-x 2 root root  4096 Nov 30 16:08 conf.d
-rw-r--r-- 1 root root  1169 Nov 19 09:13 envvars
-rw-r--r-- 1 root root  1169 Nov 19 09:07 envvars_bak
-rw-r--r-- 1 root root    75 Nov 29 17:11 httpd.conf
lrwxrwxrwx 1 root root    17 Nov 19 18:03 logs -> /var/log/apache2/
-rw-r--r-- 1 root root 31063 Sep  9 17:17 magic
drwxr-xr-x 2 root root 12288 Dec 12 22:00 mods-available
drw------- 3 root root  4096 Dec 12 22:53 mod-security
drwxr-xr-x 2 root root  4096 Dec 12 22:00 mods-enabled
---------- 1 root root    50 Nov 13 13:07 oxu.txt
-rw-r--r-- 1 root root   750 Sep  9 17:17 ports.conf
drwxr-xr-x 2 root root  4096 Dec  1 10:14 sites-available
drwxr-xr-x 2 root root  4096 Nov 29 16:32 sites-enabled
root@debian:/etc/apache2# cat httpd.conf
ServerSignature Off
ServerTokens Prod


Options -Indexes
Options -ExecCgi

root@debian:/etc/apache2/sites-enabled# cat -n hacker1.own
     1  Include /etc/apache2/conf.d/security
     2  <VirtualHost *:80>
     3          ServerAdmin webmaster@hacker1.own
     4          ServerName www.hacker1.own
     5          ServerAlias hacker1.own
     6          ServerSignature Off
     7
     8          DocumentRoot /var/www/hacker1/
     9          <Directory />
    10  Options -Indexes -FollowSymLinks -MultiViews -Execcgi -Includes
    11  #http://httpd.apache.org/docs/2.2/mod/core.html#options#
    12  #AllowOverride none
    13  Options -Includes -ExecCGI -Indexes -MultiViews
    14  #Options None
    15  AllowOverride AuthConfig Limit Fileinfo
    16
    17          </Directory>
    18
    19          <Directory /var/www/hacker1/>
    20  Options -Includes -ExecCGI -Indexes -MultiViews
    21  AllowOverride AuthConfig Limit Fileinfo
    22
    23                  Order allow,deny
    24                  Allow from all
    25          </Directory>
    26
    27  <Directory "/var/www/hacker1/">
    28   php_admin_value open_basedir "/var/www/hacker1/:/tmp/:.:/usr/share/php:.:/usr/share/pear"
    29  </Directory>
    30
    31          #ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    32          <Directory "/usr/lib/cgi-bin">
    33                  AllowOverride None
    34                  Options -ExecCGI -MultiViews -SymLinksIfOwnerMatch
    35                  # Options None
    36                  Order allow,deny
    37                  Deny from all
    38          </Directory>
    39
    40          ErrorLog ${APACHE_LOG_DIR}/error.log
    41
    42          # Possible values include: debug, info, notice, warn, error, crit,
    43          # alert, emerg.
    44          LogLevel warn
    45
    46          CustomLog ${APACHE_LOG_DIR}/access.log combined
    47  </VirtualHost>


root@debian:/etc/apache2/sites-enabled# cat -n 000-default
     1  Include /etc/apache2/conf.d/security
     2  <VirtualHost *:80>
     3          ServerAdmin webmaster@my.hack
     4          ServerName www.my.hack
     5          ServerAlias my.hack
     6         #ServerSignature Off
     7
     8          DocumentRoot /var/www/hack/
     9          <Directory />
    10                  Options -FollowSymLinks
    11                  AllowOverride none
    12          </Directory>
    13
    14          <Directory /var/www/hack/>
    15                  Options -Indexes -FollowSymLinks -MultiViews -Execcgi
    16                  AllowOverride all
    17                  Order allow,deny
    18                  Allow from all
    19          </Directory>
    20
    21  <Directory "/var/www/hack/">
    22   php_admin_value open_basedir "/var/www/hack/:/tmp/:.:/usr/share/php:.:/usr/share/pear"
    23  </Directory>
    24
    25
    26          ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    27          <Directory "/usr/lib/cgi-bin">
    28                  AllowOverride None
    29                  Options -ExecCGI -MultiViews -SymLinksIfOwnerMatch
    30                  Order allow,deny
    31                  Deny from all
    32          </Directory>
    33
    34          ErrorLog ${APACHE_LOG_DIR}/error.log
    35
    36          # Possible values include: debug, info, notice, warn, error, crit,
    37          # alert, emerg.
    38          LogLevel warn
    39
    40          CustomLog ${APACHE_LOG_DIR}/access.log combined
    41  </VirtualHost>


root@debian:/var/www# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       debian.localdomain      debian
127.0.0.1       my.hack
127.0.0.1       hacker1.own

root@debian:/var/www# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:33:bb:e7
          inet addr:192.168.0.15  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe33:bbe7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1618 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1340 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:145458 (142.0 KiB)  TX bytes:314045 (306.6 KiB)
          Interrupt:10 Base address:0xd020

eth2      Link encap:Ethernet  HWaddr 08:00:27:07:7f:c6
          inet addr:10.0.3.15  Bcast:10.0.3.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe07:7fc6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:415 errors:0 dropped:0 overruns:0 frame:0
          TX packets:452 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:333774 (325.9 KiB)  TX bytes:37398 (36.5 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:52 errors:0 dropped:0 overruns:0 frame:0
          TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4778 (4.6 KiB)  TX bytes:4778 (4.6 KiB)





root@debian:/usr/sbin# php -v
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug  6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
root@debian:/usr/sbin#

root@debian:/etc/php5/apache2# cat php.ini |grep safe_mode
safe_mode = On
; then turn on safe_mode_gid.
safe_mode_gid = Off
; When safe_mode is on, UID/GID checks are bypassed when
safe_mode_include_dir =
; When safe_mode is on, only executables located in the safe_mode_exec_dir
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
; protected even if safe_mode_allowed_env_vars is set to allow to change them.
safe_mode_protected_env_vars = LD_LIBRARY_PATH
disable_functions=exec,passthru,fsockopen,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd,exec,fp,fput,highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, po,six_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate,syslog,system, xmlrpc_entity_decode,apache_note,apache_setenv,proc_get_status,exec,passthru,proc_nice,proc_open,proc_terminate,shell_exec,system,ini_restore,define_syslog_variables,symlink,link,error_log,leak,dbmopen,closelog,stream_socket_server,execl,escapeshellcmd,proc_close,ini_alter,dl,show_ource,posix_getpwuid,posix_geteuid,posix_getegid,posix_getgrgid,open_basedir,safe_mode_include_dir,pcntl_exec,pcntl_fork,putenv,pclose,virtual,openlog,popen,escapeshellarg,dl
sql.safe_mode = Off

root@debian:/etc/php5/apache2# cat php.ini |grep "infile"
; http://php.net/mysql.allow_local_infile
mysql.allow_local_infile = Off
; http://php.net/mysqli.allow_local_infile
;mysqli.allow_local_infile = On
 
Old 12-23-2012, 07:00 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Originally Posted by Ijustdontloveyounomore View Post
(..) I disabled cgi ,ssi modules (..) I hardened/separated users by applying open_basedir_restriction too. A bunch of php functions also disabled(except few). (..) I disabled also mysql.allow_local_infile=off (..) i'm planning to separate uid/gid's too for every "client". (..) Also i'm using clamav to find out "shells"/backdoors.
Well you did do more than a lot of users would so, good!


Quote:
Originally Posted by Ijustdontloveyounomore View Post
(..) i also tested using "shells" to test my server security.
Testing is good. Since you're into pentesting you know what your toolkit contains and you know never to rely on one tool or one method.


Quote:
Originally Posted by Ijustdontloveyounomore View Post
If i'll use suPhp can i prevent that HTTP uploaded file execution?(I'm sorry for my stupid questions-I never used suPhp. But RTFM i think can light me to the right direction
Simply start with the existing documentation?


Quote:
Originally Posted by Ijustdontloveyounomore View Post
This will harden completely web server.(I think And i hope)
Since you're into pentesting you know security is a continuous process of auditing and adjusting and remaining vigilant always.
 
Old 12-23-2012, 07:31 AM   #5
Ijustdontloveyounomore
LQ Newbie
 
Registered: Dec 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Once again thank you unSpawn)

I installed suPHP.Everything seems pretty enough secure now.I can't read anothers (files,configs etc)
Thank you again for your advises.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
prevent terminal from closing after command execution. tyanata Linux - Software 3 06-11-2012 08:52 AM
How to prevent the execution of malicious commands? sulekha Linux - Security 3 10-16-2010 05:15 PM
Upload file to ftp server -vsftp- but can not delete or change the file once uploaded murattas6 Linux - Server 2 06-26-2009 06:00 AM
wsftpd and uploaded file permissions Crashputer Linux - Software 1 08-01-2005 05:10 AM
uploaded file on vsftpd has wrong file attributes rune.kg Linux - Newbie 2 03-06-2004 09:23 AM


All times are GMT -5. The time now is 04:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration