Page 1 of 3
How-to Protect server and separate accounts?
Posted: Mon Feb 16, 2015 6:58 pm
by uscreator
Good morning,
Question. in the instance server is hacked through php.
For example on main account "admin"
How this will affect other accounts on VestaCP and system in general?
Will hacker be able to penetrate other accounts and root?
Thanks,
Ed
EDIT1
And what is a good practice to "localize" the damage?
Re: How-to Protect server and separate accounts?
Posted: Tue Feb 17, 2015 4:51 am
by skurudo
One domain = one user account
and account isolation with open_basedir
Templates - basedir / hostting for Apache2 and hosting for Nginx
Need security changes in ->
/usr/local/vesta/data/templates/web/apache2/basedir.stpl
/usr/local/vesta/data/templates/web/apache2/basedir.tpl
/usr/local/vesta/data/templates/web/apache2/hosting.tpl
/usr/local/vesta/data/templates/web/apache2/hosting.stpl
Code: Select all
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
Re: How-to Protect server and separate accounts?
Posted: Tue Feb 17, 2015 3:13 pm
by uscreator
skurudo thank you for quick reply.
But if intruder will gain access with php to shell?
What linux permission level will intruder have by default? How can I test this effectively?
And maybe isolate on the linux account level?
Thanks,
Ed
Re: How-to Protect server and separate accounts?
Posted: Tue Feb 17, 2015 7:33 pm
by skurudo
uscreator wrote:
But if intruder will gain access with php to shell?
open_basedir can lock shell in site folder
uscreator wrote:What linux permission level will intruder have by default? How can I test this effectively?
Mm... tricky question.
You have shell or two for test?
uscreator wrote:And maybe isolate on the linux account level?
How you see this?
Re: How-to Protect server and separate accounts?
Posted: Tue Feb 17, 2015 8:02 pm
by uscreator
skurudo wrote:open_basedir can lock shell in site folder
I'm not PHP expert so will need to learn more about open_basedir
skurudo wrote:
What linux permission level will intruder have by default? How can I test this effectively?
Mm... tricky question.
You have shell or two for test?
Yes I can provide a shell for your tests
skurudo wrote:
And maybe isolate on the linux account level?
How you see this?
Well I'm a little confused with user 'admin'
If I create another vistaCP user 'putin' will this user be a linux shell user with all web files ownership etc.?
And can 'putin' files be totally isolated?
Re: How-to Protect server and separate accounts?
Posted: Tue Feb 17, 2015 8:13 pm
by skurudo
uscreator wrote:I'm not PHP expert so will need to learn more about open_basedir
Yes, you can -
https://wiki.apache.org/httpd/SecuringPHP
uscreator wrote:Yes I can provide a shell for your tests
Can you pm me examles?
uscreator wrote:Well I'm a little confused with user 'admin'
If I create another vistaCP user 'putin' will this user be a linux shell user with all web files ownership etc.?
And can 'putin' files be totally isolated?
I'm more confused with user 'putin', but about 'isolated putin' it's nice wordplay.
Not all user can connect via ssh - don't have bash/sh/dash or somethin - you can add or remove this option
User in VestaCP it's simple linux user with all goods and problems,
PHP scripts run from user and isolated by open_basedir.
Re: How-to Protect server and separate accounts?
Posted: Tue Feb 17, 2015 8:49 pm
by uscreator
skurudo wrote:
Can you pm me examles?
Let me know when you will need it.
I will create a Ubuntu box for your tests for a day or two
skurudo wrote:
PHP scripts run from user and isolated by open_basedir.
Yes, that's exactl behaviour I expect.
If php is penetrated on account 'admin' intruder will stay within 'admin' sandbox.
And cannot go to 'root' or to 'putin'
Re: How-to Protect server and separate accounts?
Posted: Tue Feb 17, 2015 8:54 pm
by skurudo
uscreator wrote:
Let me know when you will need it.
I will create a Ubuntu box for your tests for a day or two
Anytime, when you ready. I will test it on my servers too.
I tried before
http://code.google.com/p/b374k-shell and with open_basedir it didn't work.
uscreator wrote:Yes, that's exactl behaviour I expect.If php is penetrated on account 'admin' intruder will stay within 'admin' sandbox.And cannot go to 'root' or to 'putin'
Sites on account admin - it's not good idea. I think it's better create new user for sites. If possible one user = one site.
Re: How-to Protect server and separate accounts?
Posted: Tue Feb 17, 2015 9:32 pm
by uscreator
skurudo wrote:
Anytime, when you ready. I will test it on my servers too.
Yes, I will setup a box for you tomorrow. We need to test this on the live server
skurudo wrote:
Sites on account admin - it's not good idea. I think it's better create new user for sites. If possible one user = one site.
Yes, you got me thinking now.
All of the files on the Vestacp are installed unders 'admin' ???
This includes binaries and other things. ( like Apache, nginx, fail2ban ) all under 'admin'???
You are right admin should not be used for web hosting at all in this case. Maybe some expert can correct me.
Re: How-to Protect server and separate accounts?
Posted: Wed Feb 18, 2015 8:12 am
by skurudo
uscreator wrote:All of the files on the Vestacp are installed unders 'admin' ???
This includes binaries and other things. ( like Apache, nginx, fail2ban ) all under 'admin'???
You are right admin should not be used for web hosting at all in this case. Maybe some expert can correct me.
Nope, you got me a bit wrong. VestaCP install files and binaries with normal/unix way under root, apache2/nginx work with their rights. It's absolutly standart way. But user admin can use sudo and I see there security issue, if we place all your sites under this account and enable ssh for this user (disabled by default).