Local Hack, DirectAdmin Custom Build

[burning_vn]

I built a DA Server some week ago and is going to start my hosting bussiness.
These days, i've test my DA Server with some local hack technique (shell upload). DA was defeated. I can view the folder list of other account and his configuration file .

So, i need help from Security Experts to fix this problem.

 

[smtalk]

Use PHP as CGI, or:
1. Enable open_basedir protection.
2. Disable dangerous functions as: exec, system, shell_exec, dl, symlink, passthru, popen (and some others).
3. Enable safe_mode in /usr/local/lib/php.ini (leave it off for virtualhosts).
4. Disable IP/~user, because it doesn't take virtualhost settings, and because of that it's very insecure.
5. Use mod_security (optional) for additional security.

 

[burning_vn]

Thanks smtalk, i've followed your instruction and was successfull in preventing c99 shell local attack my other accounts .

I'm searching the module let apache scan the http header data. Does Mod_security help apache doing it.

 

[smtalk]

Yes, mod_security is the best tool for that

 

[nobaloney]

Use PHP as CGI, or:
1. Enable open_basedir protection.
2. Disable dangerous functions as: exec, system, shell_exec, dl, symlink, passthru, popen (and some others).
3. Enable safe_mode in /usr/local/lib/php.ini (leave it off for virtualhosts).
4. Disable IP/~user, because it doesn't take virtualhost settings, and because of that it's very insecure.
5. Use mod_security (optional) for additional security.

Martynas,

Do you have a How-To somewhere with this and other information in it?

Will you consider adding it to our Wiki as it moves into being live?

Thanks.

Jeff

 

[smtalk]

No, I don't have any how-to But I'll include it in Wiki when it will be available.