Hey everyone, I came across an interesting article about "cross-site contaminations": https://blog.sucuri.net/2012/12/website-malware-reality-of-cross-site-contaminations.html. This basically explains how an attacker can take control of several websites, starting only from one compromised site. I have 3 questions here: Is this problem really limited to websites under the same account/user or can we fear that the attacker gains access to the whole server's websites? Is it possible that the attacker could get control of the whole server by any mean? Seems impossible to me because this would mean to get a root access but I'm curious to know your opinion/experience with this. Finally, do you guys think of any specific measures that should be taken while hosting dozens of websites on the same server? I mean: I know ISPConfig is specifically built for that and it's already well secured but maybe one of you guys can bring some special advice to follow best practice in this field Thanks a lot and congratulations to the team for ISPConfig 3.1 by the way! The new design looks awesome and I love the new features! Can't wait to start using it ;-) Vincent
The environment in article requires the php interpreter from one site to have permission to write to files under another website, so is highly dependent on your configuration. You can create insecure configurations in ispconfig, eg. by using mod-php or suphp, and you can also create secure configurations that will not have cross-site permissions, eg. use suexec+fast-cgi or php-fpm. ISPConfig does a pretty decent job in its design and setup. But nothing is perfect, and there are surely vulnerabilities in places noone has found (or at least not reported yet). And as above, a lot depends on your configuration. You are correct that taking over the 'whole server' means gaining root access, but that sort of thing (local privilege escalation) can/does happen. Ispconfig will run each website as a separate user id with hhvm, php-fpm or suexec+fast-cgi. You could verify that mistakes in permissions haven't been made such that one site can access or write to another. There is basic security hygiene such as keeping your server and website software up to date, setup any ssh accounts using jailkit, limit the ssh and ftp accounts you create, require good passwords and secondary authentication where available, make regular backups, use a firewall, uninstall software/services that aren't needed. You can install/configure security tools like fail2ban, maldet (with sanesecurity rules in clamav), rkhunter, ossec, ispprotect and others. You can use mod_security with the owasp core rule set (modsecurity-crs package on debian). There are more things that can be done depending on how much you want/need to do, but that's what comes to mind right off.
Thanks for your answer Jesse, this is really helpful! I'm already using suexec+fast-cgi for all of the sites on my server, so I'm not in bad shape I guess ;-) Local privilege escalation looks interesting: I'm gonna read on this! As for the updates, I'm definitely keeping an eye on updates and possible options I have for security improvements. Interesting list of apps, thanks for sharing this Have a good one! Vincent
