info http://www.netenberg.com/forum/viewtopic.php?t=3399

Is mod_security can help with this ?

The problem is only when they found a vulnerabilty and are able to upload a bot, eggdrop( or whatever ) am i right ? So the "hackers" use the 777 directory of fantastico to run his stuff like others do in the /tmp directory right ?

mod_security would be able to catch an upload if the upload is made through an web application...

Yes, if you look on page two of that thread you will see some mod_sec rules.

oh
Thanks... i saw a lot of useless junk about a guy having 2000 servers so i closed the window :)

i will add these:
SecFilter "arta\.zip"
SecFilter "cmd=cd\x20/var"
SecFilter "master_files"
SecFilter "HCL_path"
SecFilter "clamav-partial"
SecFilter "vi\.recover"
SecFilter "netenberg"
SecFilter "pipe.php"
SecFilter "cse.gif"
SecFilter "psybnc"
SecFilter "fantastico_de_luxe"

as soon as i have a 15 minutes to test them...

Also, i know that powervps has a file that contains mod_sec rules that are used on all vps ... That could be a good idea to include (after a test) these rules into that file so every users will have them ...

well... i just look at it... The rules about pipe.php and cse.gif shouldn't be enabled ... or it could cause problem on some users website... it's pretty common to have a pipe.php and for cse.gif... i'm not sure why it's there...

This from the WHM Fantastico latest update marked as to do ASAP in the cPanel forums.
http://forums.cpanel.net/showthread.php?t=45493
to all:
Please update to Fantastico 2.10.0 r15 asap.
kosmoAdded:
* Fantastico De Luxe Provisional Security Module (based on chattr/chflags)

NOTE:
You will not have to care about protection any more, Fantastico will take over the protection for regular operation and unprotection/protection when updating the master files.

Virtuozzo powered VPS does not use the chattr flags. How can this security protection offered by Fantastico be effective for Virtuozzo VPS users?

I was wondering the same thing? Is there another way to do this?

It seems that Fantastico may have an answer for VPS users soon. It might pay off not to upgrade just yet until this 'final' solution is available. Then check the forums to see if it indeed is the 'final' solution. ;)

From the cPanel forums:
I am afraid it will not work on VPS and you have to wait for our final solution which will be here in some days. I suggest to protect your server using mod_security as suggested earlier in this thread.

kosmo
The mod_sec signatures mentioned above and in the cPanel forums can be found here (I installed these and they seem to be working as intended) :) :
If anyone would like MY ruleset It is at:

http://www.hostmerit.com/modsec.user.conf

This is assuming you used CPanel / WHM Addon Modules to install Mod_sec.
This would go in /usr/local/apache/conf/
Kris

this guy is having a huge mod_sec rules file... i'm impressed... it looks like that guy worked a lot to make his rules file... :)

Some more info re VPS and chattr which I am hoping draws a response from someone from Defender. ;)


http://forums.cpanel.net/showpost.php?p=216363&postcount=21
Just a side FYI .... CHATTR does indeed work on Virtuozzo VPS based servers
but it is not installed on those systems by default.

I've compiled the chattr code from Redhat and placed it in a few of those VPS systems
and surprisingly it actually works just fine. So it's apparently just that they omitted
chattr from the installed files on the VPS than any real technical reason.

After running a number of tests and attacks on files chattr +i, everything
seems to work 100% perfectly as would be expected on a normal system
having chattr already installed.
Spiral1. Is there a real issue with not having chattr installed on a Virtuozzo VPS?
2. Are there any technical reasons for not installing it?
3. What is the official line from the Virtuozzo developers on this if it is known by anyone at Defender?
4. In light of its obvious advantages, as seen in this Fantastico issue and if there were no real problems with its implementation, would Defender be inclined to install it on their VPS severs?

Often I still see error chattr messages on cPanel updates and whilst installing/upgrading other software which I know to ignore now.

This issue with Fantastico and its use of chattr would have been a handy quick fix for VPS users had it been implemented in Virtuozzo.
In the interim the Mod_sec band aid approach seems to be working but the master files still could be vulnerable. Also any clients installing Fantastico scripts on your VPS might have already been compromised. So perhaps a thorough investigation of any Fantastico script installs might be in order. With some relief after doing this investigation I found my VPS to be clean :)

Swsoft insists this cannot work on a VPS as these use ioctls not supported by vzfs. I'd like to know if someone can prove it works.

charles

If your server is 'clean', probably best to wait a few more days:

Posted: 22 October 2005, 5:48 Post subject:

--------------------------------------------------------------------------------

Vince,

since chattr will not work on VPS, you have to wait for our final solution which will be here in some days. I suggest to protect your server using mod_security as suggested in this thread by HostMerit: http://netenberg.com/forum/viewtopic.php?p=17254#17254

kosmo



http://www.netenberg.com/forum/viewtopic.php?t=3399&postdays=0&postorder=asc&start=30

- Vince

Swsoft insists this cannot work on a VPS as these use ioctls not supported by vzfs. I'd like to know if someone can prove it works.

charles

Upon futher investigation, I believe the person reporting to be able to use chattr is testing this on a ext2/ext3 filesystem. It's possible to mount ext2/ext3 on a VPS, but I get the indication from sw-soft that it's not advised to use chattr with it if you did.

We use vzfs for our /tmp partitions so chattr will not work at PowerVPS.

charles

Thanks Charles, that seems to have laid this chattr issue on vzfs powered VPS to rest now.

All we need to do now is wait for the Netenberg crew to fix this security issue with an alternative to changing the immutable attribute for the Virtuozzo users and of course a prayer or two. :) They are not known to be on high octane fuel. ;)

Update:

users with Virtuozo VPS systems can now update to latest Fantastico 2.10.2 r1

http://netenberg.com/forum/viewtopic.php?p=17687#17687

They advise you make sure that you follow the post-upgrade instructions outlined here - http://www.netenberg.com/forum/viewtopic.php?t=3541

- Vince

Thanks for the heads up vince.

Updated as instructed. Got a chattr problem when doing the shell commands, but it appears that is a point of continual discussion on the board.

Installation seems to work fine none the less.

Update:
http://netenberg.com/forum/viewtopic.php?p=17829#17829

An admin option to help identify a VPS to the Fantastico installer will be implemented soon.

I like 'simple' :D

- Vince