How-to Protect server and separate accounts?

[uscreator]

Good morning,

Question. in the instance server is hacked through php.
For example on main account "admin"
How this will affect other accounts on VestaCP and system in general?
Will hacker be able to penetrate other accounts and root?

Thanks,

Ed

EDIT1
And what is a good practice to "localize" the damage?

[skurudo]

One domain = one user account
and account isolation with open_basedir

Templates - basedir / hostting for Apache2 and hosting for Nginx

Need security changes in ->
/usr/local/vesta/data/templates/web/apache2/basedir.stpl
/usr/local/vesta/data/templates/web/apache2/basedir.tpl
/usr/local/vesta/data/templates/web/apache2/hosting.tpl
/usr/local/vesta/data/templates/web/apache2/hosting.stpl

Code: Select all

php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp

viewtopic.php?f=11&t=6747&p=21644&hilit ... dir#p21644

[uscreator]

skurudo thank you for quick reply.

But if intruder will gain access with php to shell?
What linux permission level will intruder have by default? How can I test this effectively?
And maybe isolate on the linux account level?

Thanks,

Ed

[skurudo]

But if intruder will gain access with php to shell?

open_basedir can lock shell in site folder

What linux permission level will intruder have by default? How can I test this effectively?

Mm... tricky question.
You have shell or two for test?

And maybe isolate on the linux account level?

How you see this?

[uscreator]

open_basedir can lock shell in site folder

I'm not PHP expert so will need to learn more about open_basedir

What linux permission level will intruder have by default? How can I test this effectively?
Mm... tricky question.
You have shell or two for test?

Yes I can provide a shell for your tests

And maybe isolate on the linux account level?
How you see this?

Well I'm a little confused with user 'admin'
If I create another vistaCP user 'putin' will this user be a linux shell user with all web files ownership etc.?
And can 'putin' files be totally isolated?

[skurudo]

I'm not PHP expert so will need to learn more about open_basedir

Yes, you can - https://wiki.apache.org/httpd/SecuringPHP

Yes I can provide a shell for your tests

Can you pm me examles?

Well I'm a little confused with user 'admin'
If I create another vistaCP user 'putin' will this user be a linux shell user with all web files ownership etc.?
And can 'putin' files be totally isolated?

I'm more confused with user 'putin', but about 'isolated putin' it's nice wordplay.

Not all user can connect via ssh - don't have bash/sh/dash or somethin - you can add or remove this option

User in VestaCP it's simple linux user with all goods and problems,

Code: Select all

test:x:1001:1001:[email protected]:/home/test:/sbin/nologin

PHP scripts run from user and isolated by open_basedir.

[uscreator]

Can you pm me examles?

Let me know when you will need it.
I will create a Ubuntu box for your tests for a day or two

PHP scripts run from user and isolated by open_basedir.

Yes, that's exactl behaviour I expect.
If php is penetrated on account 'admin' intruder will stay within 'admin' sandbox.
And cannot go to 'root' or to 'putin'

[skurudo]

Let me know when you will need it.
I will create a Ubuntu box for your tests for a day or two

Anytime, when you ready. I will test it on my servers too.

I tried before http://code.google.com/p/b374k-shell and with open_basedir it didn't work.

Yes, that's exactl behaviour I expect.If php is penetrated on account 'admin' intruder will stay within 'admin' sandbox.And cannot go to 'root' or to 'putin'

Sites on account admin - it's not good idea. I think it's better create new user for sites. If possible one user = one site.

[uscreator]

Anytime, when you ready. I will test it on my servers too.

Yes, I will setup a box for you tomorrow. We need to test this on the live server

Sites on account admin - it's not good idea. I think it's better create new user for sites. If possible one user = one site.

Yes, you got me thinking now.
All of the files on the Vestacp are installed unders 'admin' ???
This includes binaries and other things. ( like Apache, nginx, fail2ban ) all under 'admin'???
You are right admin should not be used for web hosting at all in this case. Maybe some expert can correct me.

[skurudo]

All of the files on the Vestacp are installed unders 'admin' ???
This includes binaries and other things. ( like Apache, nginx, fail2ban ) all under 'admin'???
You are right admin should not be used for web hosting at all in this case. Maybe some expert can correct me.

Nope, you got me a bit wrong. VestaCP install files and binaries with normal/unix way under root, apache2/nginx work with their rights. It's absolutly standart way. But user admin can use sudo and I see there security issue, if we place all your sites under this account and enable ssh for this user (disabled by default).