Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi to all,
First time here so,forgive me please if i mistakenly created this question in wrong place.
Also sorry for my Bad English.(Not native) But i'm trying to be more clear as i can maximally.
I have question regarding Apache Web server.
I'm running:
Linux debian 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686 GNU/Linux
Code:
root@debian:/var/www/somecustomuser# ls -l
total 536
---------------------SNIP----------------------
-rwxrwx--- 1 somecustomuseruser www-data 23 Nov 29 22:27 test1.php
-rw-r--r-- 1 www-data www-data 23 Dec 22 11:48 thisfile.php
--------------------END SNIP---------------
All files and folders recursively chmod'ed to my another user named: somecustomuseruser under /var/www/somecustomuser.
Also theris safe_mode is ON so default uid checking plays here.
But problem in that if someone (hacker/attacker/scriptkiddie) somehow will manage to upload "shell" via HTTP that
uploaded will belong to www-data <-- user not to -->somecustomuseruser.
Notice uploaded file (thisfile.php)
If so ---> *I want to prevent that uploaded file execution*.
Once again to be clear: How i can prevent *uploaded file execution automatically* (something like Cpanel Hulk way?)
Do i need setfacl(ACL) way to solve this?Or may be theris another ways?
Thanks in advance.
Last edited by Ijustdontloveyounomore; 12-22-2012 at 11:08 AM.
Reason: code tags
But problem in that if someone (hacker/attacker/scriptkiddie) somehow will manage to upload "shell" via HTTP that uploaded will belong to www-data <-- user not to -->somecustomuseruser.
No, that is not the first problem: that is denying unauthorized uploading. In short: proper system maintenance, host and service hardening first, and only then think about additional measures.
Quote:
Originally Posted by Ijustdontloveyounomore
*I want to prevent that uploaded file execution*.
Once again to be clear: How i can prevent *uploaded file execution automatically*
Such a file gets executed because the web server can read its contents and match it with the right interpreter to run it with. One way could be to use suPhp or a httpd.conf LocationMatch or .htaccess denying file read or execution but again, if no proper host hardening was performed first this'll be like tilting at windmills. If you would like to know more tell us what application versions you run and what hardening you have performed already.
Quote:
Originally Posted by Ijustdontloveyounomore
something like Cpanel Hulk way?
No, that seems to handle "Brute Force Protection". Obviously only a marketing department will describe something as "much anticipated" what a standard installed feature does already (PAM, that is).
Basically it is not production server.I setup it on my own computer (virtualbox)
I also did port forwarding to serve incoming requests to port 80.So apache is accessible from Internet too.
I'm a bit familiar with penetration testing) So i also tested using "shells" to test my server security.
I disabled cgi ,ssi modules especially.Because in such configuration (what i have now) local attacker can
bypass and execute operation system commands.
and
I hardened/separated users by applying open_basedir_restriction too.
A bunch of php functions also disabled(except few).
I disabled also mysql.allow_local_infile=off because theris chance that an attacker can read others configs using this way.
But all this is not enough.In future i'm planning to separate uid/gid's too for every "client".This will harden completely web server.(I think And i hope)(But never done by me)
Also i'm using clamav to find out "shells"/backdoors.
Do i need to harden it a bit?
If i'll use suPhp can i prevent that HTTP uploaded file execution?(I'm sorry for my stupid questions-I never used suPhp.
But RTFM i think can light me to the right direction )
(..) I disabled cgi ,ssi modules (..) I hardened/separated users by applying open_basedir_restriction too. A bunch of php functions also disabled(except few). (..) I disabled also mysql.allow_local_infile=off (..) i'm planning to separate uid/gid's too for every "client". (..) Also i'm using clamav to find out "shells"/backdoors.
Well you did do more than a lot of users would so, good!
Quote:
Originally Posted by Ijustdontloveyounomore
(..) i also tested using "shells" to test my server security.
Testing is good. Since you're into pentesting you know what your toolkit contains and you know never to rely on one tool or one method.
Quote:
Originally Posted by Ijustdontloveyounomore
If i'll use suPhp can i prevent that HTTP uploaded file execution?(I'm sorry for my stupid questions-I never used suPhp. But RTFM i think can light me to the right direction
Simply start with the existing documentation?
Quote:
Originally Posted by Ijustdontloveyounomore
This will harden completely web server.(I think And i hope)
Since you're into pentesting you know security is a continuous process of auditing and adjusting and remaining vigilant always.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.