find/ln permissions for better security

myBox

Active Member
Jan 6, 2004
40
0
156
due to hacking attempts I am getting, I thought of restricting access to FIND and LN binaries.

I have cpanel with suphp, and most of the hacks I see if ppl creating symbolic links to other ppl directories and then directly connecting to mysql using the other users credentials.

even if i block the use of symlink function in php, they get over it by make one in a perl script. i already have -EXECGI but they get over it by adding AddHandler cgi-script directive into .htaccess

so my question, will there be a problem if I set find and ln to be chmod 700 ?

what other possible way I can stop them from creating symbolic links? or running CGI scripts outside cgi-bin directory.

thanks
 

ne0shell

Well-Known Member
Oct 9, 2003
58
0
156
The first thing you should do is terminate any clients who do such things.

Have you tried setting the "PHP open_basedir Tweak" in cPanel's security settings?

You can also install mod_security

Restricting access to find and link should not create any issues for a static host but you will need to monitor your logs to see if any applications / cPanel have issues.

To solve the perl script hack:



edit httpd config



nano /usr/local/apache/conf/httpd.conf

and search

<Directory /> if not matched search for "/"

you will see this



<Directory />
Options
</Directory>

change it to



<Directory />
Options -ExecCGI
</Directory>



and edit access.conf



nano /usr/local/apache/conf/access.conf


and put this code



<Directory />
Options -ExecCGI
</Directory>


and restart apache

/etc/init.d/httpd restart


Remove the ability for end users to create htaccess files: http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

Lastly, edit permissions on /home and remove read ability from everyone except owner.
 
Last edited:

ne0shell

Well-Known Member
Oct 9, 2003
58
0
156
Yeah and actually thanks to Drupal and Joomla and other "iffy" php applications you can't disable symlinks entirely or remove .htaccess from user web roots.

A better option is to edit the default apache.conf (using the new process the previous poster linked to) and under the Options directive add SymLinksIfOwnerMatch

This will enable symlinks only if they are in the same folder structure owned by the same user who owns the htaccess file - which should prevent the symlink hack from exposing other user's files.

If you're enabling SSH access for end users, don't. If it's really needed for your business then install Xen or another VPS kernel and use VPS for end users in place of shared hosting. SSH and shared hosting is asking for trouble.