The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Executing /usr/sbin/csf from PHP

Discussion in 'Security' started by GoWilkes, Jun 17, 2014.

  1. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I would like to execute this code via PHP:

    Code:
    $ip = "123.45.67.89";
    exec(escapeshellcmd("/usr/sbin/csf -td $ip 43200 -p 80 IP Blocked"));
    
    In practice, I'm looking for specific patterns in the QUERY_STRING variable, to catch hackers that are trying to run SQL injections. There's obviously a lot more to the live code, but in testing the above still doesn't work from PHP. The command works via SSH, but not via PHP.

    /usr/sbin/csf is owned by root root, and has a permission of 700, so I suspect that this is why I can't run it from PHP.

    Can you guys suggest a way to effectively run this? I considered changing the owner of /usr/sbin/csf, but I don't know if this would cause any problems with CSF in general.

    I also considered creating a bash script that PHP can run, and use that script to launch the command, but bash isn't my strength, and I'm not 100% sure it would work, anyway.

    I also considered skipping /usr/sbin/csf and updating an .htaccess file with something like:

    Code:
    order allow,deny
    deny from 123.45.67.89
    allow from all
    
    But of course, this is a little more dangerous since one little error could screw up the whole site.

    Any other suggestions?
     
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    One approach that may be preferable is to have your scripting update a block list text file that CSF then fetches using it's provided mechanism for doing so. That way you won't be doing anything esoteric.

    This is in the readme under section 24. IP Block Lists

    http://configserver.com/free/csf/readme.txt

    You can obviously protect your block list a little so it can only be fetched from your own server IPs, I wouldn't want to speak for Chirpy but I'd imagine he'd suggest not changing the permissions on the CSF binary, you might want to ask over on his forums if you haven't already.

    I'd guess that the escaping and such like done on any input to the provided block list feature offers you extra protection in case something bad ™ happens.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I just wanted to point out that as mentioned in the previous post, you may want to post this question to the CSF forums if you have not done so already.

    Thank you.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Why not just use a ModSecurity rule to catch the query string, and use the LF_MODSEC setting in csf.conf to block repeat offenders? By default, CSF will block any IP which trips more than 5 ModSecurity errors in 300 seconds. I use this as a defense all the time. You can raise/lower the number of triggers, as well as set temporary instead of permanent IP blocks.

    Trying to let Apache/PHP run or edit anything with CSF could carry some potentially huge risks, seeing as the actual deny file (csf.deny) and other files are also root owned. Even if a non-privileged user (i.e. "nobody," or the account owner with SuPHP) could run the CSF binary, it would most likely be run without sufficient privileges to edit its own files. Obviously you don't want to let PHP or the web server do anything as root or with root owned files, nor would you want to make your firewall binaries and configs executable or writeable by non-privileged users.

    Also, thinice's suggestion isn't bad at all. You could have your PHP app put the IP(s) into a text file, and set up a cron job for root which runs csf -d for the IPs in that file. I'd still much prefer to go the modsec route though, much cleaner, and the requests are blocked before your app has to parse them.
     
    #4 quizknows, Jun 17, 2014
    Last edited: Jun 17, 2014
  5. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    On my end, I'm already testing for injections attempts, and that sends an email to me to manual handling. So ThinIce's suggestion would be the easiest to implement; it's just a matter of writing to the file at that point.

    I do have other questions on that, but I'll post them on the CSF forum. Thanks for the input!
     
  6. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    We're getting down the rabbit hole now, but without actually having the energy to look I'm wondering whether CSF -d does different checking on command line input to block lists it fetches via http which could conceivably be bad. I'd imagine given CSF's pedigree that all input is appropriately sanitised. I dunno I'd want to pass anything written to a file by a web app to a root cron execution, but I might be over egging the paranoia.

    For the OP, I think Quizknows suggestion is the best way to go if you're using modsec already, one criticism I do have of CSF is that certain things like the lf_modsec setting aren't mentioned in the readme. You can see them in the config file / whm interface however
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That's a very good point regarding csf -d, were a hacker to gain a PHP shell and edit the IP list, adding command line arguments, that could very possibly be a huge risk if the cron was not coded to accommodate that possibility (i.e. parse the list with a regex for IPs only). Parsing an extra blocklist is probably safer overall.

    I still contend, as you agree, that ModSecurity is a better way to go about this. You catch the malicious PHP requests before your webapp has to do anything with them. It's better security wise, and probably more efficient as far as server load goes.
     
Loading...

Share This Page