[CentOS] Server Hacked: Cpanel

Rodrigo Barbosa rodrigob at darkover.org
Wed Aug 9 18:38:14 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Aug 09, 2006 at 02:24:36PM -0400, Jim Perrin wrote:
> >It is a bit more problematic than that. You are not only adding stuff,
> >but you are also replacing (exim, apache) a part of the system.
> 
> True, and slightly more accurate. I would assume that one who has a
> mastery of both centos and CPanel would  by default understand such
> things, but it may need to be set.

Aiming for mastery of both CentOS and cPanel is like mastering
sendmail.cf rule writing: difficult, impressive but definitively
not a worthy goal.

My point is simply, once you are using cPanel, you really have to trust
them to provide you with everything. Even minor changes on the software
installed by cPanel will make parts of it stop working. So you have to
keep your customizations to what you can do using the web interface, unless
you are completely crazy (and if you mastered sendmail.cf rule writing,
you definitively are).

If you are using cPanel, forget ACLs and SELinux. You can try to do
something using the stock kernel + grsecurity patches, and maybe
even install mod_security, but you really can't aim higher than
that.

> >Also, take a look at POSIX ACLs. They are a bit more complex to use
> >than unix permissions, but much more flexible.
> 
> ACK! Dammit I did leave out extended ACLs... good catch. They're quite
> nice also, although they make backups interesting because tar eats
> them. Star is your friend in those  circumstances.

I really hate using tar for backups, even tho sometimes we are forces
to use it. I try to use "dump" as much as possible, since it will
(should?) get all the fs metadata correctly. When migrating servers,
I usually add a nice dd of the filesystem, having a image I can mount
whenever I want, just for an extra kick.

It is really unfortunately that ACLs are not supported by many
utilities, with special proeminence to tar. I don't think cpio can
handle it either.

[]s

- -- 
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE2iuWpdyWzQ5b5ckRAkyzAJ9rjUj5az/VdBbk9m5UPdh0OFUhggCeOpU4
fb2QgKLJ3JuQekQz88iF+qU=
=pBpS
-----END PGP SIGNATURE-----



More information about the CentOS mailing list