阜新大唐2016年计划:Better process tracking using suPHP

Constant Phishing/Spamming complaints can get extremely tiresome, andtracking down the source of the problem is not always easy. It wont belong before your IP addresses are listed on popular RBLs and yourcustomers start complaining about mail delivery problems. To nip theseproblems in the bud, we have to look for better ways to track down thesource of these problems. One way of better tracking processes on acPanel server is switching to suPHP.

On a server that is running PHP as a DSO module, allPHP pages/scripts are executed with the permissions of the same user asthe Apache web server. Two commonly used users are “apache” and “nobody”.On a shared hosting server this is a problem because all accounts onthe server will have their PHP scripts executed by this same user. So ifa malicious file/script is uploaded to say, the “/tmp” folder in theserver, it will be impossible to track down which account was used toupload this file. This is where suPHP can help.

“suPHPis very effective in tracking the processes that are running on theserver. suPHP is a tool for executing PHP scripts with the permissionsof their owners. It consists of an Apache module (mod_suphp) and asetuid root binary (suPHP) that is called by the Apache module to changethe uid of the process executing the PHP interpreter.” - suPHP.org

Once suPHP is enabled:
1. All the PHP scripts will run under the ownership of the user who owns the script.
2. The PHP scripts will be allowed a maximum of 644 permission.
3. PHP scripts will only work in folders that have a maximum of 755 permission.

With cPanel we can switch to suPHP in 8 simple steps. It isrecommended to do this during off peak hours as it involves recompilingof Apache/PHP. This means the sites will be unavailable for some time,but not more than 30 minutes.

1. Data to be collected - Before the switch

a) Find the current PHP configuration on the server.
# /usr/local/cpanel/bin/rebuild_phpconf –current
b) Number of domains - This is to get an idea of the estimated time ofcompletion. The more domains you have, the longer it will take for theswitch to be completed.
c) Check the current PHP configuration to find modules currently enabledin PHP, so you will know if any of them are missing after the switch.
# php -i | grep configure
d) Apache version
#/usr/local/apache/bin/httpd -V

2. Run easyapache script - /scripts/easyapache

Enable mod_suphp.
After recompilation make sure that all required modules are enabled on the server.

3. Correct the permissions of all files/folders inside /home

Once suPHP is enabled, PHP scripts with permissions greater than 644will throw a “500 Internal Server Error”, same is the case for any PHPscript inside a folder with permissions greater than 755. So once suPHPhas been enabled you must make sure that:
a)All PHP scripts have permissions of 644 and below.
b)All folders with PHP scripts should have permissions of 755 and below.

4. Remove PHP variables from .htaccess

When PHP is running as a DSO, PHP variables can be changed by using the “.htaccess”file. Once you switch to suPHP this is no longer applicable. Allsettings will have to changed using a php.ini file in the correspondingfolder. Not only that, if you leave the values in the “.htaccess” filePHP will not work in those folders. So you must check each to make sureno PHP variables are set in them.

5. Change PHP handler to suPHP

This can be done via WHM at:

Main >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration

You can select which version of PHP you wish to run as suPHP. If youhave both PHP4 and PHP5 on your server, it is recommended you set themboth to suPHP, but you can chose various combinations of suPHP, DSO andCGI.

6. Copy /usr/local/lib/php.ini to individual domains.

Manually make necessary modifications to PHP variables in the php.iniof each domain. You can write a bash script to do this if you have manydomains.

7. Set the suPHP_ConfigPath

To set this enter the following line in a “.htaccess” file:
suPHP_ConfigPath /home/username/public_html

Once this is set, the php.ini file in the folder/home/username/public_html will be effective for all sub folders too. Sothis will be useful if you have to make the PHP settings effective onall folders of the domain.

8. Check the Apache error logs

If there are still permission and ownership issues, you will seeerrors like ‘Premature script Headers”. Locate the file and correct itspermissions, or the folder in which it is located.

Congratulations! Your server will now be running suPHP and all domain folders/files should have the correct permissions/ownership.

Recommendation:

An easy way to get alerts when a particular user is abusing serverresources would be to install CSF. CSF can be configured to send alertsto your desired email address. More details are available here.
I personally recommend suPHP+csf for better management of servers