Monday, May 07, 2018

Prevent user from uploading malicious script to cpanel

To prevent user from uploading malicious script to cpanel, we need to scan the uploaded script from 2 most common ways the user upload the script.

  1. From cpanel upload interface.
  2. From ftp client.

First we need to install clamdscan and maldet, after that we need to configure modsec on whm and use pure-uploadscript binary to call clamdscan or maldet to scan the uploaded file. Here are the steps:

Create additional modsec config :

nano /etc/apache2/conf.d/modsec/modsec2.user.conf
SecRequestBodyAccess On
SecTmpSaveUploadedFiles On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/" \
Then restart apache.

Scan uploaded file from ftp :

Edit /etc/pure-ftpd/pure-ftpd.conf, modify the CallUploadScript line to yes.
CallUploadScript yes
Create script /etc/pure-ftpd/
#Maximum file size to scan in bytes that's set to 10MB


if [ "$UPLOAD_SIZE" -le "$MAXSIZE" ]; then
  /usr/local/cpanel/3rdparty/bin/clamdscan --remove --quiet --no-summary "$1"
Change script mode:
chmod 755 /etc/pure-ftpd/
Start pure-uploadscript:
pure-uploadscript -B -r /etc/pure-ftpd/
Start pure-uploadscript on boot:
echo "/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/" >> /etc/rc.d/rc.local
As alternative to above method, follow this steps:
Create initscript /usr/lib/systemd/system/pure-uploadscript.service with this content:
Description=PureFTP uploadscript service

ExecStart=/usr/sbin/pure-uploadscript -r /etc/pure-ftpd/

Then reload systemd daemon, enable the initscript at boot and start the script:
systemctl daemon-reload
systemctl enable pure-uploadscript.service
systemctl start pure-uploadscript.service
Restart pure-ftpd :
systemctl restart pure-ftpd

No comments: