The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF Syslog Security Warning, are there analogous features in cPanel itself?

Discussion in 'Security' started by ThinIce, Jan 30, 2014.

  1. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    CSF has been updated with a security warning around the security of the information in system logs. While I digest this (the http://configserver.com/free/csf/readme.txt contains useful further information) are there any cPanel scripts and features that can be similarly mislead?

     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can review the associated configuration files for the service to get a better idea of what exactly it's utilized with:

    /etc/syslog.conf
    /etc/rsyslog.conf

    Thank you.
     
  3. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    An interesting discussion with involved participants can be found at

    Log Spoofing Vulnerabilities - CSF, BFD, Fail2Ban and Many Others... [SEEKING INPUT] - Hosting Security and Technology - Web Hosting Talk

    The full thread is worth a read, but there is a protection available if you use CloudLinux, albeit with the side effect of preventing cron job logging. Igor's post Web Hosting Talk - View Single Post - FEATURED Log Spoofing Vulnerabilities - CSF, BFD, Fail2Ban and Many Others... [SEEKING INPUT]

     
  4. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Big question then ---> If we need to disable brute force detection within CSF, then can cPHulk then "pick up the slack"?

    In other words, does cPHulk suffer from the same log spoofing vulnerability as apparently CSF does now?
     
  5. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    /subscribing
     
  6. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Anyone familiar enough with cPHulk to be able to answer this question? TIA.
     
  7. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    While I wouldn't presume to speak for him, that doesn't necessarily appear to be Chripy's suggestion:

    Web Hosting Talk - View Single Post - FEATURED Log Spoofing Vulnerabilities - CSF, BFD, Fail2Ban and Many Others... [SEEKING INPUT]

    I'd take the "particularly self-destructive and untrustworthy client base" bit to mean that if you know full well you've got a lot of exploitable Joomla 1.x installs outstanding or something of the ilk or you know full well you've got people signing up just to screw with you. That said I guess most hosts are going to have an estimated % of accounts compromised at any one time regardless of their policies, I suppose you have to weigh how you feel about the state of your systems and the protection these feature provide against having to be a bit more careful.

    Note there is also now a beta option to restrict access to syslog

    Web Hosting Talk - View Single Post - FEATURED Log Spoofing Vulnerabilities - CSF, BFD, Fail2Ban and Many Others... [SEEKING INPUT]

     
  8. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    That's the kind of thing I was hoping the cPanel guys might comment on, I'd imagine giving the pros and cons on this one they're formulating a measured response before posting, it wouldn't overly surprise me to learn the major people involved are chin wagging together in private as well as the public discussions on WHT.

    The reason you can check for example reported root logins against /var/log/wtmp using last (to be sure they aren't spoofed) is that it is not a syslog log (I believe /var/log/secure is off the top of my head). As far as cphulk goes I'm guessing that it'll suffer at least some of the same problems as CSF...
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You're speaking very well for me :)

    We're hoping that the new BETA option will suffice, short of Redhat/CentOS releasing a more secure logging daemon for v5/v6 (which isn't likely to happen at all), to help mitigate this issue. Even without the new option, you do indeed have to weigh the likelihood of an attacker wanted to disrupt the server they are on (they don't usually want to do this) compared to exploiting its resources for their own ends (they usually want to do this). So, disabling the affected options completely is likely to be self-defeating.

    cPHulk works in a very different way to lfd's log line scanning. For most services it is assessing the patterns of login attempts to services via PAM and then prevents further logins from the source as configured. In that sense, it isn't going to be vulnerable to this issue, however it does have its own weaknesses when it comes to blocking the attacks and so a variety of protection mechanisms can't usually hurt.
     
  10. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    Heh, I'm blushing :eek:

    Thanks for the extra info on cPHulk, I imagine that'll be a useful clarification for many (unless I'm just being a klutz and missed an obvious indicator ;) )
     
  11. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    What I really want to know, at this time, is what to set RESTRICT_SYSLOG option in CSF config to on a cPanel based shared hosting server,
     
    postcd likes this.
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    From the ConfigServer Blog:
     
  13. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Italy
Loading...

Share This Page