Welcome to Centmin Mod Community
Become a Member

Security File upload exploits?

Discussion in 'System Administration' started by joshuah, Apr 24, 2017.

  1. joshuah

    joshuah Member

    116
    14
    18
    Apr 3, 2017
    Ratings:
    +16
    Local Time:
    4:54 PM
    Hello,

    Someone has raised to me some concerns with using such a setup that the users are not isolated.

    The concern being that if someone uploaded a file browser they could effectively access all files on all accounts, etc. is that accurate?

    I am not going to be giving out ftp access to any users.

    My biggest concern is if someone did manage to upload a file browser script they could mess the server up and access other users information?

    What is the best way to mitigate that? What are others users doing?
     
  2. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:54 AM
    10
    Would like to know the same, even if every site has its own FTP account, how they may be able to gain access to other accounts or to the server itself?
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    3:54 PM
    Nginx 1.13.x
    MariaDB 5.5
    FAQ item 2 explains Centmin Mod situation as there is no chroot/jailed users as Centmin Mod isn't for shared hosting. There are plans for future chroot/jailing of users i.e. https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/.

    However, only mitigation right now is to have one server/vps server per site if the site is important enough for you.

     
  4. joshuah

    joshuah Member

    116
    14
    18
    Apr 3, 2017
    Ratings:
    +16
    Local Time:
    4:54 PM
    I don't mean making it shared hosting as in selling services. It's a fully locked down service. Ie no one has access to ftp etc. they will only have access via wp admin. But the issue is, if one website gets exploited, every website on the server will be.
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    3:54 PM
    Nginx 1.13.x
    MariaDB 5.5
    It's related still... shared hosting requires chroot/jailed user accounts. Protecting each site from exploited one account being able to access other web site accounts also requires chroot/jailed user accounts.
     
  6. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:54 AM
    10
    So the risk still, if anyone is able to upload an exploit on my site (could be taking advantage of a Wordpress security bug) he will have access to any other domains hosted on the server? Security doesn't always depends on the server admin, it also depends on the security of the platforms (blogs, forums or whatever platform is being used)
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    3:54 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yes that is the risk hence why you should always keep web apps/scripts up to do and why centmin.sh menu option 22 wordpress installer also does configure auto update of wordpress via cronjob too. Chroot/jailed implementation and testing takes ALOT of time and effort to implement and support. Not many free LEMP/LAMP web stack solutions provide jailed/chroot accounts out of the box where they don't have any paid/commercial support options attached to their service/product offerings to recoup costs involved in development, testing and support.

    With that said, even with chroot/jailed user accounts, sites sharing same server can be compromised even on cpanel/WHM control panels. I had paid clients who hired me to clean up infections and diagnose their cpanel/WHM server being hacked for their forums. They had kindly tried to host a friend's wordpress blog on a chroot/jailed account on cpanel/WHM. But that friend didn't update their wordpress blog in years.

    Hackers got through the wordpress blog, uploaded malicious files and php command shell scripts and populated multiple phpmyadmin instances and old vulnerable wordpress files in dozens of web access public directories i.e. uploads and attachment folders. So the hacker always had multiple web accessible backdoors into the server to re-infect. They then used that to get access to mysql server and access to the forum's database and injected backdoors via the database to get access to the forums.

    So every time, the forum owner paid someone to clean their forums of hacks and infections, the hackers kept coming back and breaking in via wordpress and multiple backdoors the hackers left behind on sites other than the forum files. That forum owner eventually hired me to clean up after wasting money hiring others and I cleaned them up once and for all once i pinpointed the vulnerability and backdoor methods :)

    Basically, keep your scripts updated regardless if you have a chroot/jailed environment or not and if your site is important, isolate it to a server of it's own :)
     
    • Winner Winner x 1
  8. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:54 AM
    10
    wow, I thought WHM/cPanel was safer since they provide jailed accounts. I'm using cxs and has been really great, I guess he didn't have it installed to block malicious scripts. There are many ways malicious scripts can be blocked but don't think jailed accounts is a con for centminmod. All depends on which secondary tools you use to protect your server.
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    3:54 PM
    Nginx 1.13.x
    MariaDB 5.5
  10. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:54 AM
    10
    Can those security measures be applied to an already running blog?
    I could use WP auto installer and then import all posts but that would mean reinstalling all addons, themes and theme settings which could take me many hours
     
  11. joshuah

    joshuah Member

    116
    14
    18
    Apr 3, 2017
    Ratings:
    +16
    Local Time:
    4:54 PM
    You could just all-in-one importer plugin?
     
  12. joshuah

    joshuah Member

    116
    14
    18
    Apr 3, 2017
    Ratings:
    +16
    Local Time:
    4:54 PM
    I wonder if installing and running CXS daemon (on access scanning) would be beneficial on centminmod?
     
  13. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    3:54 PM
    Nginx 1.13.x
    MariaDB 5.5
    security is on nginx level via nginx vhost configuration that centmin.sh menu option 22 sets up + tools/autoprotect.sh generated for each nginx vhost https://community.centminmod.com/th...ccess-check-migration-to-nginx-deny-all.7308/ in 123.09beta01
    Haven't used CXS on centmin mod so not sure. Centmin mod nginx doesn't have mod_security that CXS requires ConfigServer eXploit Scanner (cxs) AFAIK
     
  14. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:54 AM
    10
    It seems it works at certain level:
    http://www.webhostingtalk.com/showthread.php?t=1567479
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    3:54 PM
    Nginx 1.13.x
    MariaDB 5.5
    interesting.. so maybe but CXS is US$60/server heh
     
  16. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:54 AM
    10
    Great so copy the vhost file of an autoinstalled blog will be enough (and install the WP security plugin it includes)
     
  17. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:54 AM
    10
    How much did you charge to clean the server of your customer? Less than $60? :D
    Will definitely install it as soon as I'll get my server. Maybe we can get to a solution to make it work like that user
     
  18. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    3:54 PM
    Nginx 1.13.x
    MariaDB 5.5
  19. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:54 AM
    10
    Could maldet be configured to scan filed which are being uploaded or created only? That could help to reduce server resource usage maybe by avoiding scans of already safe files
     
  20. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    3:54 PM
    Nginx 1.13.x
    MariaDB 5.5
    pure-ftpd has upload scan support with clamav but seems it's broken haven't looked at it since. Still it requires alot more memory usage ~4-8GB extra memory recommended.