Hi,
I have servers of mixed OS, some Centos, some Fedora, and after the flame war that erupted last week (where I said basically nothing and just watched), my server was hacked by this team of hackers, actually their friend:
http://www.sibersavascilar.com/
This made Karanbir's statements about mixing Cpanel and Centos (any maybe any linux distro) come true very quickly. If one of the top package maintainers says this, it bears weight.
I'd like to know more about this subject, specifically on the package front, for security's sake.
Karanbir, can you restate the issues with Cpanel please? They are trying to recommend CentOS as the OS to install on, and even that Linux Journal article did -and before anyone else wastes their time, -let's get everything out in the open so that there's a pipermail archive trail for future folks 'googling' for info later on pros/cons of using, or avoiding use of, non-complimentary projects/technologies.
Is the issue that both parties maintain separate packaging/updating regimes and have little or no successful communication as far as keeping thing secure and up to date?
That seemed to be what you said, -and if I had the old email, i'd just run with it's advice.
Also, can you list the IRC channels you mentioned last time that contain the various hackers bragging about freshly broken Cpanel/Centos builds? Freenode right? Any others? I've been on IRC back when BITNET was still active and there wasn't even mosaic yet, but have always avoided it after 1992 because of hackers 'sniffing for future targets'.
William, Jim, Johnny, -any comments are truly welcome, -anyone really. Basically i'd like to help stop or curtail the 'open season' this set of circumstances is creating for hackers, -I have already decided to avoid Cpanel on Centos as it is, -my server that was hacked with Cpanel was not a Centos box, and those that have it, have been shut down.
The server next to it was *also* hacked, and that *was* a centos machine, with only a yum update from 3 days prior. Is it really recommeded that I run yum update evry night then? It was stunning to have a box up for 3 days and then get owned so fast.
Luckily this was for my personal business entity, and not my full-time job, which indeed does run 50-70 Centos servers behind layers of firewalls and other protections, and *no* commercial products, only centos packages by Dag or Karanbir.
To anyone in the mood for scolding, please hold off OK? I'm not in the mood for overbearing attitudes right now. I'm trying to run a business and seek solid answers. I see Centos as a reliable alternative to commercial offerings *if* you pay careful attention to what the senior staff and relevant discussion groups advise.
As for the team of hackers, if anyone knows who this is, or can point out who they might be or how to ban them, -that is also most welcome.
Hacked By Crackers_Child For Peace DONT WAR ! Greetz : X_Alperen_X, XTech Inc , Metlak, Root_Mor,Dr Hacker, Dr.Jr7 ,Dr,Dermann,Code_Power,CukurOvalý ALL My Friends And All SiberSavascilar.Com Members !
--------------------------------- Stay in the know. Pulse on the new Yahoo.com. Check it out.
On Wed, 2006-08-09 at 09:08 -0700, Karl Balsmeier wrote:
Hi,
I have servers of mixed OS, some Centos, some Fedora, and after the flame war that erupted last week (where I said basically nothing and just watched), my server was hacked by this team of hackers, actually their friend:
http://www.sibersavascilar.com/
This made Karanbir's statements about mixing Cpanel and Centos (any maybe any linux distro) come true very quickly. If one of the top package maintainers says this, it bears weight.
I'd like to know more about this subject, specifically on the package front, for security's sake.
Karanbir, can you restate the issues with Cpanel please? They are trying to recommend CentOS as the OS to install on, and even that Linux Journal article did -and before anyone else wastes their time, -let's get everything out in the open so that there's a pipermail archive trail for future folks 'googling' for info later on pros/cons of using, or avoiding use of, non-complimentary projects/technologies.
Is the issue that both parties maintain separate packaging/updating regimes and have little or no successful communication as far as keeping thing secure and up to date?
That seemed to be what you said, -and if I had the old email, i'd just run with it's advice.
Also, can you list the IRC channels you mentioned last time that contain the various hackers bragging about freshly broken Cpanel/Centos builds? Freenode right? Any others? I've been on IRC back when BITNET was still active and there wasn't even mosaic yet, but have always avoided it after 1992 because of hackers 'sniffing for future targets'.
William, Jim, Johnny, -any comments are truly welcome, -anyone really. Basically i'd like to help stop or curtail the 'open season' this set of circumstances is creating for hackers, -I have already decided to avoid Cpanel on Centos as it is, -my server that was hacked with Cpanel was not a Centos box, and those that have it, have been shut down.
The server next to it was *also* hacked, and that *was* a centos machine, with only a yum update from 3 days prior. Is it really recommeded that I run yum update evry night then? It was stunning to have a box up for 3 days and then get owned so fast.
Luckily this was for my personal business entity, and not my full-time job, which indeed does run 50-70 Centos servers behind layers of firewalls and other protections, and *no* commercial products, only centos packages by Dag or Karanbir.
To anyone in the mood for scolding, please hold off OK? I'm not in the mood for overbearing attitudes right now. I'm trying to run a business and seek solid answers. I see Centos as a reliable alternative to commercial offerings *if* you pay careful attention to what the senior staff and relevant discussion groups advise.
As for the team of hackers, if anyone knows who this is, or can point out who they might be or how to ban them, -that is also most welcome.
---- The only way to close the door is to figure out which door they used to get in.
The likely culprits are ssh - things like php (especially if using phpbb or other content management systems which allow users to write things on the web site). My money these days is always on SSH, allowing users to log in via password and users with weak passwords.
It's not really germane to discuss whether it was CentOS, CPanel or whatever until you actually know how they got in.
Craig
If they got in via SSH and all they did was deface his website they must be stand-up guys, huh? Most likely they just wrote an executable to his /tmp directory and then used apache's amazing recursion checking to execute it. This is the most common case I've seen on the dozens of cPanel 'hacks' I've encountered.
-Drew
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Craig White Sent: Wednesday, August 09, 2006 12:19 PM To: CentOS mailing list Subject: Re: [CentOS] Server Hacked: Cpanel
On Wed, 2006-08-09 at 09:08 -0700, Karl Balsmeier wrote:
Hi,
I have servers of mixed OS, some Centos, some Fedora, and after the flame war that erupted last week (where I said basically nothing and just watched), my server was hacked by this team of hackers, actually their friend:
http://www.sibersavascilar.com/
This made Karanbir's statements about mixing Cpanel and Centos (any maybe any linux distro) come true very quickly. If one of the top package maintainers says this, it bears weight.
I'd like to know more about this subject, specifically on the package front, for security's sake.
Karanbir, can you restate the issues with Cpanel please? They are trying to recommend CentOS as the OS to install on, and even that Linux Journal article did -and before anyone else wastes their time, -let's get everything out in the open so that there's a pipermail archive trail for future folks 'googling' for info later on pros/cons of using, or avoiding use of, non-complimentary projects/technologies.
Is the issue that both parties maintain separate packaging/updating regimes and have little or no successful communication as far as keeping thing secure and up to date?
That seemed to be what you said, -and if I had the old email, i'd just run with it's advice.
Also, can you list the IRC channels you mentioned last time that contain the various hackers bragging about freshly broken Cpanel/Centos builds? Freenode right? Any others? I've been on IRC back when BITNET was still active and there wasn't even mosaic yet, but have always avoided it after 1992 because of hackers 'sniffing for future targets'.
William, Jim, Johnny, -any comments are truly welcome, -anyone really. Basically i'd like to help stop or curtail the 'open season' this set of circumstances is creating for hackers, -I have already decided to avoid Cpanel on Centos as it is, -my server that was hacked with Cpanel was not a Centos box, and those that have it, have been shut down.
The server next to it was *also* hacked, and that *was* a centos machine, with only a yum update from 3 days prior. Is it really recommeded that I run yum update evry night then? It was stunning to have a box up for 3 days and then get owned so fast.
Luckily this was for my personal business entity, and not my full-time job, which indeed does run 50-70 Centos servers behind layers of firewalls and other protections, and *no* commercial products, only centos packages by Dag or Karanbir.
To anyone in the mood for scolding, please hold off OK? I'm not in the mood for overbearing attitudes right now. I'm trying to run a business and seek solid answers. I see Centos as a reliable alternative to commercial offerings *if* you pay careful attention to what the senior staff and relevant discussion groups advise.
As for the team of hackers, if anyone knows who this is, or can point out who they might be or how to ban them, -that is also most welcome.
---- The only way to close the door is to figure out which door they used to get in.
The likely culprits are ssh - things like php (especially if using phpbb or other content management systems which allow users to write things on the web site). My money these days is always on SSH, allowing users to log in via password and users with weak passwords.
It's not really germane to discuss whether it was CentOS, CPanel or whatever until you actually know how they got in.
Craig
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 12:29:14PM -0400, Drew Weaver wrote:
If they got in via SSH and all they did was deface his website they must be stand-up guys, huh? Most likely they just wrote an executable to his /tmp directory and then used apache's amazing recursion checking to execute it. This is the most common case I've seen on the dozens of cPanel 'hacks' I've encountered.
/tmp, /var/tmp and /dev/shm based compromizes do seem to account for 70%+ of the hacking on cPanel servers these days.
I blame canned script kiddies tools for that. It is simply the easiest way to go.
Usually you will have a perl script there, so even nodev,noexec won't stop that.
[]s
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
Drew Weaver wrote:
If they got in via SSH and all they did was deface his website they must be stand-up guys, huh?
Indeed. I try to be reasonably quick about updates and the occasional short-notice ssh exploit is rather scary.
---
I've found that at least 75-80% of the time there is a compromise the "hacker" doesn't have "local" access to the system, meaning a shell. They simply upload a script to /tmp, run it, and that's their damage. If they are getting in via SSH someone has a bad security policy.
-Drew
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 12:40:17PM -0400, Chris Mauritz wrote:
Drew Weaver wrote:
If they got in via SSH and all they did was deface his website they must be stand-up guys, huh?
Indeed. I try to be reasonably quick about updates and the occasional short-notice ssh exploit is rather scary.
I have been using one One Time Password method or another to allow my users to have ssh access to their areas these days. Works great, as long as they are new users. Old users might complain if you make things "more difficult" for them.
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Wed, 2006-08-09 at 14:01 -0300, Rodrigo Barbosa wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 12:40:17PM -0400, Chris Mauritz wrote:
<snip>
I have been using one One Time Password method or another to allow my users to have ssh access to their areas these days. Works great, as long as they are new users. Old users might complain if you make things "more difficult" for them.
As you know, I've never been afraid of exposing my ignorance. So, a Q.
From rom my reading learning to use SSH and such I saw recommendations that login/password not be allowed where possible. So I did the public key things and exported them around my little nichework. My theory being that it is harder to get in and compromise things if there is no login/password pair for someone to "snoop".
My question is: is there a scenario where the public key based solution is just totally inappropriate? Am I overrating the value of going "passwordless"?
I'm also using an IPCop firewall w/no access from the 'net for now. But if/when I "open 'er up" a little, I would like to believe I'm doing the best job I can.
Rodrigo Barbosa
<snip sig stuff>
TIA
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 01:15:29PM -0400, William L. Maltby wrote:
My question is: is there a scenario where the public key based solution is just totally inappropriate? Am I overrating the value of going "passwordless"?
No to both questions. I use the same thing on all my servers (only keys, no plain-text).
However, there is a 3rd authentication option. The first 2 are:
- - Password - - Public Key
the 3rd being:
- - Challenge/Response
Challenge/Response authentication include things like S/KEY and OTPW (One Time PassWord).
If we give Password authentication a security rating of 0, and Public Key a security rating of 10, a good challenge/response method will offer you something like 9. They are a very good alternative when you can't, for one reason or another, use only key auth. And just like for passwords, you can have both key and challenge methods enabled.
There is one particular critical server here that I need to be able to access no matter what. Even if I need to go into a lanhouse to do it. In that case, using a public key is at least unadvisable, since others can try grabbing it at the time. So, Challenge/Response is a very good way to go, since it doesn't matter if someone else get my password (the password will work only once).
I'm also using an IPCop firewall w/no access from the 'net for now. But if/when I "open 'er up" a little, I would like to believe I'm doing the best job I can.
If you has the option of only using keys, then that is the way to go. Make sure all other authentication methods are disabled for extra points.
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Wed, 2006-08-09 at 15:01 -0300, Rodrigo Barbosa wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 01:15:29PM -0400, William L. Maltby wrote:
My question is: is there a scenario where the public key based solution is just totally inappropriate? Am I overrating the value of going "passwordless"?
No to both questions. I use the same thing on all my servers (only keys, no plain-text).
That's good to know. So I am not only learning again, but also evaluating properly (at least temporarily)!
However, there is a 3rd authentication option. The first 2 are:
- Password
- Public Key
the 3rd being:
- Challenge/Response
HA! I remember this from before I got cable access. While futilely hoping the telco would get DSL out here in the sticks, I did dial to my ISP. Auth was either PAP or CHAP. IIRC, ISP preferred CHAP and that's what we did (PtoP).
Challenge/Response authentication include things like S/KEY and OTPW (One Time PassWord).
<snip CHAP is pretty darn good explanation>
Rodrigo Barbosa
<snip sig stuff>
Thanks Rodrigo, for taking the time!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 03:19:23PM -0400, William L. Maltby wrote:
the 3rd being:
- Challenge/Response
HA! I remember this from before I got cable access. While futilely hoping the telco would get DSL out here in the sticks, I did dial to my ISP. Auth was either PAP or CHAP. IIRC, ISP preferred CHAP and that's what we did (PtoP).
Having to stop the passwords on plaintext (on the ISP side) always makes me raise an eyebrow toward any place that offers CHAP as authentication. Then again, I always use different passwords everywhere, so that is not usually a big issue.
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Wed, 2006-08-09 at 17:00 -0300, Rodrigo Barbosa wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 03:19:23PM -0400, William L. Maltby wrote:
the 3rd being:
- Challenge/Response
HA! I remember this from before I got cable access. While futilely hoping the telco would get DSL out here in the sticks, I did dial to my ISP. Auth was either PAP or CHAP. IIRC, ISP preferred CHAP and that's what we did (PtoP).
Having to stop the passwords on plaintext (on the ISP side) always makes me raise an eyebrow toward any place that offers CHAP as authentication. Then again, I always use different passwords everywhere, so that is not usually a big issue.
Same here, even in my own net (I have grandchildren: they can be "snoopy"). The darn trouble is trying to remember them all, including those for different 'net sites; all have a different password.
The plain text password didn't bother me so much as my connection was a dial-up Point-to-Point connection. One would need some special acces to intercept.
Rodrigo Barbosa
<snip sig stuff>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 04:40:09PM -0400, William L. Maltby wrote:
Having to stop the passwords on plaintext (on the ISP side) always makes me raise an eyebrow toward any place that offers CHAP as authentication. Then again, I always use different passwords everywhere, so that is not usually a big issue.
Same here, even in my own net (I have grandchildren: they can be "snoopy"). The darn trouble is trying to remember them all, including those for different 'net sites; all have a different password.
The plain text password didn't bother me so much as my connection was a dial-up Point-to-Point connection. One would need some special acces to intercept.
CHAP autentication send the "password" encrypted over the wire. The problem is how it is stored on the ISP server.
[]s
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Wed, 2006-08-09 at 18:12 -0300, Rodrigo Barbosa wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 04:40:09PM -0400, William L. Maltby wrote:
<snip>
The plain text password didn't bother me so much as my connection was a dial-up Point-to-Point connection. One would need some special acces to intercept.
CHAP autentication send the "password" encrypted over the wire. The problem is how it is stored on the ISP server.
YIKES! Good thing it was a local that I knew very well to be very concientious. We used to ride our MCs a lot together and I came to know them well.
Rodrigo Barbosa
<snip sig stuff>
Hm, we have mixed results with security regarding cPanel and CentOs (or any distribution really). It seems like anytime there are forums involved, an insecure /tmp directory, or the default cPanel services all left enabled, you're headed for trouble.
That's just my opinion.
-Drew
________________________________
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Karl Balsmeier Sent: Wednesday, August 09, 2006 12:08 PM To: CentOS@centos.org Subject: [CentOS] Server Hacked: Cpanel
Hi,
I have servers of mixed OS, some Centos, some Fedora, and after the flame war that erupted last week (where I said basically nothing and just watched), my server was hacked by this team of hackers, actually their friend:
http://www.sibersavascilar.com/
This made Karanbir's statements about mixing Cpanel and Centos (any maybe any linux distro) come true very quickly. If one of the top package maintainers says this, it bears weight.
I'd like to know more about this subject, specifically on the package front, for security's sake.
Karanbir, can you restate the issues with Cpanel please? They are trying to recommend CentOS as the OS to install on, and even that Linux Journal article did -and before anyone else wastes their time, -let's get everything out in the open so that there's a pipermail archive trail for future folks 'googling' for info later on pros/cons of using, or avoiding use of, non-complimentary projects/technologies.
Is the issue that both parties maintain separate packaging/updating regimes and have little or no successful communication as far as keeping thing secure and up to date?
That seemed to be what you said, -and if I had the old email, i'd just run with it's advice.
Also, can you list the IRC channels you mentioned last time that contain the various hackers bragging about freshly broken Cpanel/Centos builds? Freenode right? Any others? I've been on IRC back when BITNET was still active and there wasn't even mosaic yet, but have always avoided it after 1992 because of hackers 'sniffing for future targets'.
William, Jim, Johnny, -any comments are truly welcome, -anyone really. Basically i'd like to help stop or curtail the 'open season' this set of circumstances is creating for hackers, -I have already decided to avoid Cpanel on Centos as it is, -my server that was hacked with Cpanel was not a Centos box, and those that have it, have been shut down.
The server next to it was *also* hacked, and that *was* a centos machine, with only a yum update from 3 days prior. Is it really recommeded that I run yum update evry night then? It was stunning to have a box up for 3 days and then get owned so fast.
Luckily this was for my personal business entity, and not my full-time job, which indeed does run 50-70 Centos servers behind layers of firewalls and other protections, and *no* commercial products, only centos packages by Dag or Karanbir.
To anyone in the mood for scolding, please hold off OK? I'm not in the mood for overbearing attitudes right now. I'm trying to run a business and seek solid answers. I see Centos as a reliable alternative to commercial offerings *if* you pay careful attention to what the senior staff and relevant discussion groups advise.
As for the team of hackers, if anyone knows who this is, or can point out who they might be or how to ban them, -that is also most welcome.
Hacked By Crackers_Child
For Peace
DONT WAR !
Greetz : X_Alperen_X, XTech Inc , Metlak, Root_Mor,Dr Hacker, Dr.Jr7 ,Dr,Dermann,Code_Power,CukurOvalý
ALL My Friends
And All SiberSavascilar.Com Members !
________________________________
Stay in the know. Pulse on the new Yahoo.com. Check it out. http://us.rd.yahoo.com/evt=42974/*http:/www.yahoo.com/preview
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Some excerpts:
On Wed, Aug 09, 2006 at 09:08:00AM -0700, Karl Balsmeier wrote:
This made Karanbir's statements about mixing Cpanel and Centos (any maybe any linux distro) come true very quickly. If one of the top package maintainers says this, it bears weight.
I'd like to know more about this subject, specifically on the package front, for security's sake.
First things first.
When you install cPanel, you no longer have a CentOS machine, you have a cPanel one. As simple as that.
cPanel is way too intrusive. It will stop any efforts from the CentOS team to keep the machine current and secure. It will change everything from services to libraries.
Is the issue that both parties maintain separate packaging/updating regimes and have little or no successful communication as far as keeping thing secure and up to date?
Actually no. There are many features on cPanel that depend on heavy patching of packages, including Apache and Exim. There is actually no way better communication would make any difference, unless cPanel was made opensource (and correctly documented).
Also, can you list the IRC channels you mentioned last time that contain the various hackers bragging about freshly broken Cpanel/Centos builds?
Is there any need for that ? Hacking a cPanel server is trivial for any hacker but a script kid.
Not only it will use unsecure versions of many softwares and some patches of questionable safety, it will also stop you from using several method of improving security (/tmp hardening with ACLs is just one example).
There are some people (rack911.com) that can do wonders securing a cPanel server, but even them can't make it as secure as a pure CentOS server. If you really need to use cPanel (and other CPs for that matter), I urge you to contact Steve at rack911.com and ask him to secure your server. Regarding CP based servers, he is the best I know.
William, Jim, Johnny, -any comments are truly welcome, -anyone really. Basically i'd like to help stop or curtail the 'open season' this set of circumstances is creating for hackers, -I have already decided to avoid Cpanel on Centos as it is, -my server that was hacked with Cpanel was not a Centos box, and those that have it, have been shut down.
It really will make no big difference if you are using CentOS or some other base distro for cPanel. cPanel will replaces so many things, and will give you Fantastico, which is an amazing tool, as long as you don't mind security.
The server next to it was *also* hacked, and that *was* a centos machine, with only a yum update from 3 days prior. Is it really recommeded that I run yum update evry night then? It was stunning to have a box up for 3 days and then get owned so fast.
Again, wouldn't have made any difference.
Luckily this was for my personal business entity, and not my full-time job, which indeed does run 50-70 Centos servers behind layers of firewalls and other protections, and *no* commercial products, only centos packages by Dag or Karanbir.
That is the way to go.
To anyone in the mood for scolding, please hold off OK? I'm not in the mood for overbearing attitudes right now. I'm trying to run a business and seek solid answers. I see Centos as a reliable alternative to commercial offerings *if* you pay careful attention to what the senior staff and relevant discussion groups advise.
I hope you don't think I'm scolding you. CPs have a business value. I'm well aware of that. But you get that at the price of security (along other things that don't relate to this thread).
My point is very simple: if you are using cPanel, you WILL get hacked. I suspect the same holds true for all other CPs (DirectAdmin, Cubix etc), but I can't say for certain, since I never audited a machine with those CPs, only read their specs.
Your best shot is to get speciallized cPanel securing assistance. As I said, Rack911 is your best bet as far as I'm concerned.
As for the team of hackers, if anyone knows who this is, or can point out who they might be or how to ban them, -that is also most welcome.
Don't want your time trying to ban them. It won't work. They will simply hack someone else's cPanel server and use it to access your.
There are some tips and HOWTOs on www.webhostingtalk.com that might help you secure your machine by yourself, and if nothing else, I would check there.
Best Regards,
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Rodrigo Barbosa Sent: Wednesday, August 09, 2006 12:29 PM To: CentOS mailing list Subject: Re: [CentOS] Server Hacked: Cpanel
Not only it will use unsecure versions of many softwares and some patches of questionable safety, it will also stop you from using several method of improving security (/tmp hardening with ACLs is just one example). ---
Not to sound silly but cPanel automatically secures the /tmp directory since the end of last year.
Some people disable it forcefully.
-Drew
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 12:37:36PM -0400, Drew Weaver wrote:
Not only it will use unsecure versions of many softwares and some patches of questionable safety, it will also stop you from using several method of improving security (/tmp hardening with ACLs is just one example).
Not to sound silly but cPanel automatically secures the /tmp directory since the end of last year.
Some people disable it forcefully.
If you call mounting it nodev,noexec securing it, yes true. Unfortunately, that won't stop perl scripts from running there, or people using it to store stuff there.
Yes, nodev,noexec is better than nothing, but it is simply not enough (or close to enough) these days.
That is why I use Posix ACLs to secure it these days. Apache simply can't write there.
Ok, it is a bit of security through obscurity, since you have to reconfigure PHP to stop sessions on a different directory anyway, and a really determined hacker might eventually find it through some information disclosure bug, but at least you will stop the script kiddies and mid-level hackers.
And, trust me, if you are facing a really skilled hacker, cPanel is just one of your worries.
As a side not, I have started playing with SELinux to try and improve the security of my servers. My main problem is that you simply can't find a working rule set for Exim, and I'm working hard on creating one while learning SELinux at the same time.
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Wed, 2006-08-09 at 13:42 -0300, Rodrigo Barbosa wrote:
As a side not, I have started playing with SELinux to try and improve the security of my servers. My main problem is that you simply can't find a working rule set for Exim, and I'm working hard on creating one while learning SELinux at the same time.
Slightly OT: I have been playing a bit with the Simplified Policy Description Language (SPDL), that is part of the SEEdit project[1]. The language looks like AppArmor policies. I still use the 'targeted' policy on servers, but on the other hand using SPDL seems better than turning SELinux off completely[2].
E.g., this is a simple quick sample policy, quite readable if you know UNIX DAC semantics.
--- { domain vsftpd_t; program /usr/sbin/vsftpd; include common-relaxed.sp; include daemon.sp; include nameservice.sp;
allow /etc/shadow r,s; allow /etc/pam.d/vsftpd r,s; allow /etc/security/pam_env.conf r,s; allow /etc/vsftpd.user_list r,s; allow /etc/vsftpd/vsftpd.conf r,s; allow /var/log/xferlog a,r,s; allow ~/** rw,s;
allowpriv netlink; allowpriv cap_sys_chroot; allowpriv audit_write; allow /etc/selinux/config r,s;
allownet -protocol tcp -port 20 server; allownet -protocol tcp -port 21 server; allownet -protocol tcp -port 1024- server; } ---
-- Daniel
[1] http://seedit.sourceforge.net/ [2] I think that the majority of the current system administrators will never bother to learn to understand the current policy or the new 'reference policy', and will simply turn it off when the default policy gets in the way.
<snipping everything> Okay, here's my personal take on the matter, for the $0.000002 that it's worth.
For production machines, sometimes control panels are required for the job. I'll preach against them, but that doesn't do much.
If you install something like Cpanel to a system, you're adding a level of complexity. You're stepping over what's provided in the base, and adding to it. This means you need to not only know the base inside and out, but you need to know Cpanel inside and out as well. So, lets go through the admin checklist:
1. Minimal packageset. Go through the rpms installed on your system and clean out ones that you don't need or don't use. window managers, compilers, etc have no business on a production box. If you need a compiler to install/update cpanel, you might want to look at the possibility of removing them after the install/update. If they stay on the system, you're only giving the attacker something else to use that he doesn't have to provide himself.
2. Regular updates and backups. Duh, but still needs to be said. Too many people don't do this.
3. Config changes. Many default application settings are wide open. Make sure that you lock down or disable what you don't need. For example in php things like allow_url_fopen, globals, etc should be off. Safe Mode should be on if you can manage it within your application.
4. Permissions: Unix permissions by default are DAC style, where the user has the power to change permissions. Make sure that you stay on top of this and keep permissions in places like your webroot to a minimum to do the job. If you can, enable SELinux, which is MAC style based permission, which enforces restrictions no matter what the user does.
5. Data input checking: SQL injections and other such annoyances can be avoided with proper input checking. Utilities like mod_security for apache are a must in my book. If you're able, go through the code for whichever app you're using and see if they're checking input properly. Invest some time in mod_security and learning the rulesets. It's archaic, but the defaults are good, and they stay updated. If you're using a common app (phpbb or some such) you shouldn't have to tweak much to enjoy the protection of mod_security. (it's at centos.karan.org all packaged up for you. Thank karanbir for it)
6. Log checking use logwatch other other such utilities and keep up on your logs. If someone's been poking at your site for a few days, and they've gone from getting loads of 40(3,4)'s to 302s or 200's.. you'll want to know about it.
Yes this is tailored mostly to web services. There are loads of other things to do.. but these are the basics, and most people who get bitten aren't staying on top of them.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Okey, lemme expand this a little bit, and even contradict you (while agreeing).
On Wed, Aug 09, 2006 at 01:32:42PM -0400, Jim Perrin wrote:
If you install something like Cpanel to a system, you're adding a level of complexity. You're stepping over what's provided in the base, and adding to it. This means you need to not only know the base inside and out, but you need to know Cpanel inside and out as well.
It is a bit more problematic than that. You are not only adding stuff, but you are also replacing (exim, apache) a part of the system.
- Minimal packageset.
Always a good thing to do, with or without a CP.
- Regular updates and backups.
Backups ! Backups !
- Config changes
Which is sad but true, specially for cPanel (can't say for sure with the other CPs).
As a side note, even Webmin will screwup your iptables settings if you enable bandwidth monitoring.
- Permissions:
Unix permissions by default are DAC style, where the user has the power to change permissions. Make sure that you stay on top of this and keep permissions in places like your webroot to a minimum to do the job. If you can, enable SELinux, which is MAC style based permission, which enforces restrictions no matter what the user does.
Also, take a look at POSIX ACLs. They are a bit more complex to use than unix permissions, but much more flexible.
Nice checklist, Jim.
Best Regards,
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On 8/9/06, Rodrigo Barbosa rodrigob@darkover.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Okey, lemme expand this a little bit, and even contradict you (while agreeing).
I agree with your contradicting agreements.
It is a bit more problematic than that. You are not only adding stuff, but you are also replacing (exim, apache) a part of the system.
True, and slightly more accurate. I would assume that one who has a mastery of both centos and CPanel would by default understand such things, but it may need to be set.
Also, take a look at POSIX ACLs. They are a bit more complex to use than unix permissions, but much more flexible.
ACK! Dammit I did leave out extended ACLs... good catch. They're quite nice also, although they make backups interesting because tar eats them. Star is your friend in those circumstances.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 02:24:36PM -0400, Jim Perrin wrote:
It is a bit more problematic than that. You are not only adding stuff, but you are also replacing (exim, apache) a part of the system.
True, and slightly more accurate. I would assume that one who has a mastery of both centos and CPanel would by default understand such things, but it may need to be set.
Aiming for mastery of both CentOS and cPanel is like mastering sendmail.cf rule writing: difficult, impressive but definitively not a worthy goal.
My point is simply, once you are using cPanel, you really have to trust them to provide you with everything. Even minor changes on the software installed by cPanel will make parts of it stop working. So you have to keep your customizations to what you can do using the web interface, unless you are completely crazy (and if you mastered sendmail.cf rule writing, you definitively are).
If you are using cPanel, forget ACLs and SELinux. You can try to do something using the stock kernel + grsecurity patches, and maybe even install mod_security, but you really can't aim higher than that.
Also, take a look at POSIX ACLs. They are a bit more complex to use than unix permissions, but much more flexible.
ACK! Dammit I did leave out extended ACLs... good catch. They're quite nice also, although they make backups interesting because tar eats them. Star is your friend in those circumstances.
I really hate using tar for backups, even tho sometimes we are forces to use it. I try to use "dump" as much as possible, since it will (should?) get all the fs metadata correctly. When migrating servers, I usually add a nice dd of the filesystem, having a image I can mount whenever I want, just for an extra kick.
It is really unfortunately that ACLs are not supported by many utilities, with special proeminence to tar. I don't think cpio can handle it either.
[]s
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
hi! Karl Balsmeier wrote:
Hi,
I have servers of mixed OS, some Centos, some Fedora, and after the flame war that erupted last week (where I said basically nothing and just watched), my server was hacked by this team of hackers, actually their friend:
the issue with cPanel + CentOS has been security related, always. They ( cPanel ) are very lethargic about doing security updates, and are quite willing to continue to push known bad packages. Also, they seem to have decided ( for no real reason, that i can see ) to use their own packages for the core operational packages on web servers ( stuff like php, mysql, apache etc ) - none of these apps are then being either audited / monitored / patched / updated like the other packages in the CentOS distribution are.
Some very good points have been made by the others here w.r.t security and checklists etc. It would be nice to see someone from cPanel ( we know there are some on this list! ) address some of these issues...
-
Chris Mauritz -
Craig White -
Daniel de Kok -
Drew Weaver -
Jim Perrin -
Karanbir Singh -
Karl Balsmeier -
Rodrigo Barbosa -
William L. Maltby