Monday, May 07, 2018

Prevent user from uploading malicious script to cpanel

To prevent user from uploading malicious script to cpanel, we need to scan the uploaded script from 2 most common ways the user upload the script.

  1. From cpanel upload interface.
  2. From ftp client.

First we need to install clamdscan and maldet, after that we need to configure modsec on whm and use pure-uploadscript binary to call clamdscan or maldet to scan the uploaded file. Here are the steps:

Create additional modsec config :

nano /etc/apache2/conf.d/modsec/modsec2.user.conf
SecRequestBodyAccess On
SecTmpSaveUploadedFiles On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/hookscan.sh" \
                "id:'999999',log,auditlog,deny,severity:2,phase:2,t:none"
Then restart apache.

Scan uploaded file from ftp :

Edit /etc/pure-ftpd/pure-ftpd.conf, modify the CallUploadScript line to yes.
[...]
CallUploadScript yes
[...]
Create script /etc/pure-ftpd/clamav_check.sh
#!/bin/bash
#Maximum file size to scan in bytes that's set to 10MB

MAXSIZE=10485760

if [ "$UPLOAD_SIZE" -le "$MAXSIZE" ]; then
  /usr/local/cpanel/3rdparty/bin/clamdscan --remove --quiet --no-summary "$1"
fi
Change script mode:
chmod 755 /etc/pure-ftpd/clamav_check.sh
Start pure-uploadscript:
pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh
Start pure-uploadscript on boot:
echo "/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh" >> /etc/rc.d/rc.local
As alternative to above method, follow this steps:
Create initscript /usr/lib/systemd/system/pure-uploadscript.service with this content:
[Unit]
Description=PureFTP uploadscript service
After=network.target
#Before=pure-ftpd.service

[Service]
#Type=simple
ExecStart=/usr/sbin/pure-uploadscript -r /etc/pure-ftpd/lmd_check.sh
#TimeoutStartSec=0

[Install]
#WantedBy=multi-user.target
WantedBy=default.target
Then reload systemd daemon, enable the initscript at boot and start the script:
systemctl daemon-reload
systemctl enable pure-uploadscript.service
systemctl start pure-uploadscript.service
Restart pure-ftpd :
systemctl restart pure-ftpd
Sources:
http://panellinux.blogspot.co.id/2016/05/howto-virus-scan-ftp-uploaded-files-on.html
https://www.howtoforge.com/tutorial/how-to-integrate-clamav-into-pureftpd-for-virus-scanning-on-centos-7/
https://www.rfxn.com/appdocs/README.maldetect

No comments: