My thoughtnabout security and some others improvments

Hello,

I use Interworx for 2 years now (since v1.3 i think). A lot of improvments has been done since this time. Pretty good.

But some good fonctionalities are disapears. I found them very useful

  • Alert email and text tweaks (to admin nodeworx and user). The best would be to have alert email sent to admin when for example a siteworx reach his bandwidth limit. It could be great to be also able to define via GUI the text in the email sent. This last functionalty existed in first version :slight_smile:

  • API
    we use the API provided by iworx to automate the creation of new siteworx accounts. This is great and few soft use these API (MB, CE, …)
    For us, iworx customers, it could be great to have a full doc about this. (it existed but disapears). Form our point of view, we need to implement some new functionalities in the API : birthday date, scriptworx, default language, …
    We do not us the API to delete accounts yet, but we’d really like to have an API to update the account. At least, be able to suspend it, but the best would to be able to change all the definitions of the siteworx account (disk space, BW, etc…)

Indeed we have an home made client management with a gateway to payments and to iworx. So from our home made cleint admin panel we are able to automaticly create a new account when it has paid and we’d really like to automate all others taks : like
Suspend account (if it didn’t pay since n days)
Modifiy account (our customers have the ability to modify online their account, so after we receive the payment we could update the account automaticly)

  • Security.
    We are all concerned about security. I find it may be usefull to have :
  • suPHP
  • httpd.conf more tweak as for example have
    <Directory />
    AllowOverride None
    Order Deny,Allow
    Deny from all
    </Directory>

then in every vhost add
Order Allow,Deny
Allow from all

it could secure all the file systems

  • Have in every vhost :
    sonething like
    php_admin_value open_basedir “<<WEBROOT>>:/tmp”
    be able to set up, enable, disable, safe_mode per vhost in the GUI interface

  • Have the list of the not necessery,by default, httpd module

  • and surely others

I pretty sure iworx staff works hard and have a lot of ideas. Everything can^t be done in one shoot :wink:

I^m not doing to speak about others evolutions, like reseler template, backup, restore and mass import/transfert improovment, GUI tweaks ability of skel files etc… because I know they are working on it.

Pascal

About when i started I think :slight_smile:

But some good fonctionalities are disapears. I found them very useful

  • Alert email and text tweaks (to admin nodeworx and user). The best would be to have alert email sent to admin when for example a siteworx reach his bandwidth limit. It could be great to be also able to define via GUI the text in the email sent. This last functionalty existed in first version :slight_smile:

This is coming back, Pascal, in a substantially rewritten form.

  • API
    we use the API provided by iworx to automate the creation of new siteworx accounts. This is great and few soft use these API (MB, CE, …)
    For us, iworx customers, it could be great to have a full doc about this. (it existed but disapears). Form our point of view, we need to implement some new functionalities in the API : birthday date, scriptworx, default language, …
    We do not us the API to delete accounts yet, but we’d really like to have an API to update the account. At least, be able to suspend it, but the best would to be able to change all the definitions of the siteworx account (disk space, BW, etc…)

Indeed we have an home made client management with a gateway to payments and to iworx. So from our home made cleint admin panel we are able to automaticly create a new account when it has paid and we’d really like to automate all others taks : like
Suspend account (if it didn’t pay since n days)
Modifiy account (our customers have the ability to modify online their account, so after we receive the payment we could update the account automaticly)

More functionality in the API is in the works.

As for the rest of your suggestions, I’m sure the developers will take them under advisement.

Thanks for the feedback!

Thanks Tim. PLeased to read you

Pascal

I’m not overly technical by any means in the UNIX world.

Our SERVER has been hacked and the hosts are saying it was accessed through scripts vulnarability. Searching on this site, I don’t see any security issues and fixes relating to 2.4.1 (I think it’s the latest release we got).

The hosts are saying that InterWorx clears the SERVER logs every 10 minutes or so, so they can’t trace how the break-in occurs but the leak they claim is through a script. Either InterWorx or vBulletin. And vBulletin is at 3.5.0 and 3.5.1 on 2 sites.

Also that InterWorx has a way of preventing this problem. Is this true? And if so how?

Here’s the host’s exact report;

[SIZE=1]…they were running an irc proxy on your server under the user ‘apache’ from /var/tmp. Generally this means that you have an exploitable script on your server… unfortuantly it seems that interworx rotates the log files every 10 minutes so its almost impossible to track down the exact point of entry at this time… [/SIZE]

[SIZE=2][SIZE=2][SIZE=1]Thanks for trying, but the InterWorx root log you’ve been emailed really doesnt help me any…[/SIZE]
[SIZE=1]I need the webserver site logs to even TRY to track down the cause… [/SIZE]
[SIZE=1]unfortunatly i dont understand exactly how interworx runs the logs so…[/SIZE]

[SIZE=1]As for what the hack did… from what i am able to tell they installed a group of files in ‘/var/tmp/…’ included in these files was an IRC proxy server which was actively running under the gise of the program named ‘init’ (dont just go and kill init on the server its very important) [/SIZE]
[SIZE=1]while this doenst seem to be very bad… the method proves to be how bad it COULD be… if they are able to upload files to your server… and execute them under the user that the webserver runs as… they effectivly have WRITE access to anywhere that the webserver can write to… any files that could be updated by the webserver can be systematicaly deleted… with that privilege level.[/SIZE]
[SIZE=1]as all they have to do is upload a script that deletes every file on the server… and it will delete every file it can… [/SIZE]

[SIZE=1]If I am not mistaken interworx should have some type of firewall service that can be setup thru its admin section. I recomend utilizing this function and only allowing the services that you are offering be accessed… this deter hackers from attmepting to hijack your machine (as their irc proxy would be unreachable) however this does NOT stop then from abusing the scripts on the webserver and nuking your sites… so… i would still verify the security of all scripts on the server at a very high priority… [/SIZE][/SIZE][/SIZE]
[SIZE=2][SIZE=2]
Any comments from the knowledgeable people here?

Thank you all in advance.
Scruff
[/SIZE][/SIZE]

InterWorx does not rotate the logs every 10 minutes. We run a fively script every 5 minutes that processes certain things, but not log files. By default, unless the NodeWorx admin has changed it, web log files get rotated daily.

We do provide a firewall in NodeWorx, but that will not prevent people from exploiting security flaws in web applications. The firewall works at a lower level, in that it simply blocks traffic on specified ports on specified IP addresses. If you want Apache to work, then you will need to leave port 80 open to all incoming IPs. The system firewall does not, and can not, go as far as to check for possible malicious web activity.

Socheat

The problem may indeed be the firewall. Here’s what happens;
[LIST=1]

  • When I go to "firewall" in NodeWorx, it says STOPPED.
  • When I click START, in the green area up top, it says "? Service successfully started "
  • but in the pink area, it still says STOPPED. The rest of the screen remains unchanged.
  • If I go back to "firewall", things appear OFF/STOPPED still.[/LIST]My settings are;

    Start on boot-up: Yes
    Firewall Information

    Version: 0.9.5 (APF)
    Debug Mode: Off
    Default Type of Service: Maximize Reliability
    TCP Drop Policy: Drop
    Drop Policy: Drop
    Block Multicasting: On
    Block Private Networks: On
    Max Sessions: 34576
    Sysctl TCP: On

    So is my firewall ON or OFF? If OFF, how can I turn it ON?

    Thanks.

  • Hello

    Is it possible for you to connect to your server with SSH ?

    If yes, become root and do this command :

    /etc/apf/apf --status

    If the firewall is on you might see the first line of the status

    APF Status Log:
    May 02 03:30:21 padawan apf(12837): firewall initalized

    About your security pbm, the firewall can’t solve it indeed, but mod_security might. Have a look at http://www.modsecurity.org/. You should be abble to install it by simply do yum install mod_security.

    There is some good rules, and in your case the Just in Time Patches for Vulnerable Applications , here http://www.gotroot.com/

    Look for mod_security in this forum for some details on how install and use it

    Pascal

    Is not going to work :wink: you will have to build it from source. Or download it from here: http://www.jackal-net.at/tiki-read_article.php?articleId=22

    I would love to have this in the InterWorx panel.

    I would love to see mod_security RPMs included in the InterWorx repository. :stuck_out_tongue: