The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to make suhosin ingore a file / script

Discussion in 'Security' started by Metro2, May 8, 2010.

  1. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Sorry to post this question here, but the suhosin forums appear to be down for maintenance.

    I keep getting email alerts from one of my servers with the subject "ACTIVE SYSTEM ATTACK" and they are in regard to a single file/script in a single customer account.

    Here's the message (with x's to replace sensitive info of course):

    Active System Attack Alerts
    =-=-=-=-=-=-=-=-=-=-=-=-=-=
    May 8 03:30:55 suhosin[31505]: ALERT - configured request variable name length limit exceeded - dropped variable '/site/data/no/19/740_480_0_100_1_100_100_0_60_1_54_40_0_20_20_local' (attacker 'xx.xx.167.179', file '/home/xxxxxxx/public_html/xxxxxxxxxxx.com/script_name/index.php')

    ---------------

    Basically all I want to do is get the server to stop sending me alerts about that one file/script in that one user account.

    Can anyone here tell me how to do that?

    BTW, I checked into trying to figure out what I could possibly put in /etc/logcheck/ignore or /etc/logcheck/violations.ignore but unfortunately I can't figure out what I should enter in there for this particular attack alert, and I don't want to muck anything up, so I figured it was time to start asking around.

    Thank you for any advice / replies!
     
  2. thobarn

    thobarn Well-Known Member

    Joined:
    Apr 25, 2008
    Messages:
    153
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    sanctum sanctorum
    I don't know a way to exclude a specific file/script but the options that govern the alert you are getting are:

    suhosin.get.max_name_length (default 64)
    suhosin.post.max_name_length (default 64)
    suhosin.request.max_varname_length (default 64)

    so by increasing the values for one or more of these options in php.ini to match or exceed the length of the variable name '/home/xxxxxxx/public_html/xxxxxxxxxxx.com/script_name/index.php' and the method of submission, you can stop this alert being generated. Please note that the change would apply to all scripts globally.
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    Just guessing here, but could this be a cache file of some sort that could be cleared instead of weakening your security? If it's not a cache file, could it be some silly person naming a directory or file very long for some reason that you could get them to change?

    I'd be going down that road long before I'd be loosening my security for one user. If it can be fixed on their end, ask them to fix it.
     
  4. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks for the replies / opinions. It could be a cache file, I don't know, but what I do know is that the script is SSP Director (SlideShowPro) and is an essential part of the customer's web site, and it is not a danger. However, I don't think I should lengthen the max_name_length on the suhosin PHP settings too much, so I guess I was just hoping for a way to have the alerts for that one file or one account ignored / not emailed to me. Looks like I've got a bit more research to do...

    Thanks for the input from both of you, I appreciate it!
     
Loading...
Similar Threads - suhosin ingore file
  1. cowner
    Replies:
    7
    Views:
    461

Share This Page