When cpanel has apache 2.2 available. I am planning on switching my servers over to it and to SuPHP from mod_php. There are hundreds of accounts on my different servers and I am worried about the transition. I know cpanel has a permission conversion script, but I dont completely trust it. The biggest issue to me though, is all the users that have php_values and flags in their htaccess files that would then be needed converted to php.ini's. Has anyone created a conversion script for doing this in an automated fashion?
I might not even convert my full servers to this and just do with the partial ones (less than 25%), but I really think it would benefit the customers and myself with the nice added layer of protection of suphp.
I'm not sure if this should go in this forum or not so admins feel free to move it to the appropriate place.
I am looking at moving to a new VPS host and was just wondering what the best method of moving sites over while having the least amount of downtime.
Is it better to set up the new VPS with new nameservers and then change the nameservers for each domain once ready to move the sites over, or should I keep the nameservers and just change the IP they point to when ready to switch?
Just when you thought a host could not possibly get any worse...
THEY DO! <snicker>
This time they have really, really outdone themselves. As many of you know..Plesk is not optional. You can remove it..but..like CP..it's not same as starting fresh.
Well..I login to my big one (The only one I've had problems with) to see what poor webhostautomation was talking about. A new error...I had never seen it before..and I had attempted to install Helm on this brute many times before..before handing it over to them.
1&1 has added something...and it is the source of this new error..I am almost 100% sure of it. Today..I decided...I give up..ok...you force me to use Plesk..I'll use Plesk.
I try to login to Plesk..guess what..this new addition prevents Plesk from working. Brilliant job, folks!
You can remake it from the primary image..but..that will do you good.
Luckily, I have a backup that does not have this new crap on it...and are restoring the vps from this "clean" backup as we speak.
I'm running a shared hosting environment and I'd like to know if it's even possible to secure the Apache while it's running mod_php. I know I could go suPHP with PHP-CGI, but that'd increase drastically the server load.
So what should I do to best secure the server?
So far now I did:
- Apache: Installed mod_security and mod_evasive.
- PHP: Set register_globals=OFF Set disable_functions = ini_restore, popen, exec, shell_exec, system, passthru, proc_open, proc_close Set safemode=ON Set open_basedir to user's directory on virtualhost
Is that would be a secure environment for my users?
we have installed suPHP along with suhosin on server to prevent upload of illegal scripts but still we are having problems with scripts used for phishing web sites! We have a lot of Joomla users and other php apps installed on server.
I have a Linux server for shared hosting in which I am using Cpanel/WHM. I have PHP running as suPHP which I believe is for security. The problem I am facing is a lot of PHP based websites create load on the server and consume as much as 10% of the CPU and sometimes some script even consumes 50% CPU. I think I can reduce the load caused by the PHP scripts by installing eAccelerator. However, it does not work with PHP running as suPHP. Can anybody tell me which one should I choose of the both? Is there any other way to reduce the load on the server?
I'm running a dedicated server (ie my site only) which is primarily a vbulletin powered site.
I was wondering if it is beneficial in running PHP as suPHP along with suhosin?
A lot of articles I see seem to be aimed at shared setups where there are other users with various (possibly) untrusted scripts.
It is a WHM/cPanel managed server which by default is set to run PHP5 as DSO (Apache module).
suexec is installed however this only affect CGI scripts correct?
I recently had a (paid) security audit completed and I asked the question about suhosin. The reply I got was:
You do not need suhosin as you do not run suPHP we enforce posix acl's which will prevent vulnerable scripts from being able to download to the system easily and prevent the automated attacks. You can try this by installing a phpshell and you will see it's not very effective, only php functions are really of any use (such as readfile() and so on) but it will prevent things like wget xxx.
Should I recompile Apache (via EasyApache) with suPHP and suhosin or just leave as is?
3. I setup vsftpd with chroot to each virtual host.
This works very nice as long as each client has only one ftp account. But if a client(website1) wants to have multiple ftp accounts( ex. john, john100, john200), they would mess up the file ownership when they upload and change files. Since suPHP executes PHP scripts with the permissions of their owners (suPHP_UserGroup John group1, suPHP would complain their setid is mismatched because the John100 is not the suPHP_USERGROUP owner(John). I have tried Virtual Hosting with Vsftpd and Mysql, that didn't work because all the virutal users would be acting as one user (guest_username=virtualftp) when they upload and change files. I am wondering if there is ways to allow multiple ftp accounts for each Virutal host working together with suPHP. Or It is possible for ftp user to change ownership once they log in.
Today I took the leap and switched to suPHP, rather than the Apache module. This is just what suited us best for hosting our own websites, keeping them more isolated from eachother bar a certain shared directory.
All is great, apart from I'm now noticing Zombie processes all of the time. These processes do seem to go away though, if I watch top the amount of Zombie processes will go up and down between 0 and 10.
Are these processes a problem, considering they do leave after a while? I've read up about Zombie processes and it would seem that as long as they are closing at some point, instead of hanging around, then that's fine. Is this supposed to happen in my setup?
After upgrading to Apache2, installing suPHP and mod_userdir, and enabling open_basedir, I can still browse other users webroot with a c99 shell script. to increase protection without needing safe_mode on?
WHM 11.11.0 cPanel 11.15.0-R17665 CENTOS Enterprise 5 i686 on standard - WHM X v3.1.0 apache 1.3.37
and now the server run without phpsuexec so i try to recompile apache with php security and suphp module but the php.ini files still didn't work in the client's sites and there is alot of scripts want php.ini files for safemode = off , etc even the top process show me nobody not users to know who spam or other tings
i run this command
and i got
php has not yet been configured with EA3
with the new update cpanel i can't run php.ini files anymore
A server I have runs DA. On this server I switched php to SUPHP. This combo has worked 99% good so far except for one big pain in the ***.
When ever a new domain, sub domain or a pointer domain is added I get a php_admin_flag error and Apache will not restart untill I rem out all instances of php_admin_flag lines in the httpd.conf file.
Code: Stopping httpd: [FAILED] Starting httpd: Syntax error on line 31 of /usr/local/directadmin/data/users/****/httpd.conf: Invalid command 'php_admin_flag', perhaps mis-spelled or defined by a module not included in the server configuration [FAILED]
Has anyone solved this? Apperantely the new version of DA was suppose to fix this but I upgraded DA today and at the end I ended having to rem out all php_admin_flag instances for all domains on that server which = good times.
I'm using suphp to secure a shared web hosting server and am confused about one issue I'm having. It is my understanding that using suphp, you should be able to chmod 755 all directories and chmod 600 all files since apache runs the .php files as the user.
However, when I chmod 600 all files, the formatting of the sites gets messed up. It loses all css and if you try to view image files in the browser you get a permission denied error. Why is that?
As a temporary solution, I can chmod 644 all files and then 600 only sensitive files like config files (wp-config.php for WordPress for example), but I'd rather just chmod 600 everything.
Can anyone explain why 600 doesn't work?
With 644 permissions, any user could upload a script like:
Code: <?php $filename = realpath("/home/user/public_html/wp-config.php"); $handle = fopen($filename, "r"); $contents = fread($handle, filesize($filename)); fclose($handle); echo '<textarea name="textareaName" rows="46" cols="103">'.$contents.'</textarea>'; ?> and view another users's file if it is 644.