Prevent user from uploading malicious script to cpanel
To prevent user from uploading malicious script to cpanel, we need to scan the uploaded script from 2 most common ways the user upload the script.
First we need to install clamdscan and maldet, after that we need to configure modsec on whm and use pure-uploadscript binary to call clamdscan or maldet to scan the uploaded file. Here are the steps:
- From cpanel upload interface.
- From ftp client.
First we need to install clamdscan and maldet, after that we need to configure modsec on whm and use pure-uploadscript binary to call clamdscan or maldet to scan the uploaded file. Here are the steps:
Create additional modsec config :
nano /etc/apache2/conf.d/modsec/modsec2.user.conf SecRequestBodyAccess On SecTmpSaveUploadedFiles On SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/hookscan.sh" \ "id:'999999',log,auditlog,deny,severity:2,phase:2,t:none"Then restart apache.
Scan uploaded file from ftp :
Edit /etc/pure-ftpd/pure-ftpd.conf, modify the CallUploadScript line to yes.
[...] CallUploadScript yes [...]
Create script /etc/pure-ftpd/clamav_check.sh
#!/bin/bash #Maximum file size to scan in bytes that's set to 10MB MAXSIZE=10485760 if [ "$UPLOAD_SIZE" -le "$MAXSIZE" ]; then /usr/local/cpanel/3rdparty/bin/clamdscan --remove --quiet --no-summary "$1" fi
Change script mode:
chmod 755 /etc/pure-ftpd/clamav_check.sh
Start pure-uploadscript:
pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh
Start pure-uploadscript on boot:
echo "/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh" >> /etc/rc.d/rc.local
As alternative to above method, follow this steps:
Create initscript /usr/lib/systemd/system/pure-uploadscript.service with this content:
[Unit] Description=PureFTP uploadscript service After=network.target #Before=pure-ftpd.service [Service] #Type=simple ExecStart=/usr/sbin/pure-uploadscript -r /etc/pure-ftpd/lmd_check.sh #TimeoutStartSec=0 [Install] #WantedBy=multi-user.target WantedBy=default.target
Then reload systemd daemon, enable the initscript at boot and start the script:
systemctl daemon-reload systemctl enable pure-uploadscript.service systemctl start pure-uploadscript.service
Restart pure-ftpd :
systemctl restart pure-ftpd
Sources:
http://panellinux.blogspot.co.id/2016/05/howto-virus-scan-ftp-uploaded-files-on.html
https://www.howtoforge.com/tutorial/how-to-integrate-clamav-into-pureftpd-for-virus-scanning-on-centos-7/
https://www.rfxn.com/appdocs/README.maldetect
Comments