First, I'd like to state that I've been using Apache since the 1.0 days and deploying working/secured systems into production environments since 1995. I have been using cPanel since 2004 and am not a complete noob, but have not fully delved into all the aspects of the system (time constraints).
I have been attempting to solve a security breach with a user and when I read through the httpd.conf it dawned on me what I was seeing.
Apache 2.2.x
<Directory "/">
Options ExecCGI FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
AllowOverride All
</Directory>
Apache 1.3.37
<Directory "/">
Options All
AllowOverride All
</Directory>
These made my jaw drop - this is 100% against good security practices, even those that Apache themselves state:
Security Tips - Apache HTTP Server
So, I attempted the obvious and secure the / directory and allow the options/overrides for user/virtualhost folders but then stuff everywhere failed to work. Explicit Directory options are needed for the system cgi, for php to work in suexec/suphp mode... lots of work that should have already been done for the out of box setup.
Both my cPanels have been updated in the past 30 days and are sitting at 11.24.
My Google-fu failed to help me locate and identify anyone that has identified all the paths and which files to place these overrides (I am assuming the /var/cpanel/templates/ files).
Any pointers to save me the time that should have already been put in would be appreciated! If/when I can collect this information I will bring them all together and do a how to secure your apache setup better.
I have been attempting to solve a security breach with a user and when I read through the httpd.conf it dawned on me what I was seeing.
Apache 2.2.x
<Directory "/">
Options ExecCGI FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
AllowOverride All
</Directory>
Apache 1.3.37
<Directory "/">
Options All
AllowOverride All
</Directory>
These made my jaw drop - this is 100% against good security practices, even those that Apache themselves state:
Security Tips - Apache HTTP Server
So, I attempted the obvious and secure the / directory and allow the options/overrides for user/virtualhost folders but then stuff everywhere failed to work. Explicit Directory options are needed for the system cgi, for php to work in suexec/suphp mode... lots of work that should have already been done for the out of box setup.
Both my cPanels have been updated in the past 30 days and are sitting at 11.24.
My Google-fu failed to help me locate and identify anyone that has identified all the paths and which files to place these overrides (I am assuming the /var/cpanel/templates/ files).
Any pointers to save me the time that should have already been put in would be appreciated! If/when I can collect this information I will bring them all together and do a how to secure your apache setup better.