FTP to www-data

Discussion in 'Tips/Tricks/Mods' started by Marcio Urakawa, Dec 17, 2020.

  1. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    you can also look at any of the several options i listed earlier, you CAN update hundreds/thousands of wordpress/joomla sites simultaneously with just a couple of mouse clicks.
    i'm not saying that's a good idea, (i'd suggest updating in smaller batches of sites) but it can definitely be done.
    of course, that's still leaves checking/testing the sites are still working ok after the update..... but you could also just send a message to the site owners telling them the site has been updated and that they should check themselves that everything is ok.
    plus these options normally include some form of reporting, so you can keep track of what was updated, when, and from what version to what version.
    Marcio Urakawa likes this.
  2. The tools you mentioned are interesting. I will study to implant.
    But I have to be careful because some sites need to be done manually because if you update the plugin, the site breaks.
    About this job of updating is complicated because I have other skills.

    The way is to pray.
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Like all security, you do many things (layers), there is not a single solution to the problem; especially in your case of trying to make known vulnerable sites available to the public, you can do what you can do, but you can't secure everything and you will have problems. You really, *really* should be working up the command chain to get a means to enforce a sane policy that requires sites to update or be updated; even a policy of "when your site is hacked and abused, we disable it until you're able to fix it" ought to be pretty easy to get support for. But given the constraints that you want external security (you can't secure the sites themselves, including installing security plugins), some thoughts:

    In addition to a local waf (mod_security rules - and use a commercial service like atomicorp or astra, you will not (likely?) find a comprehensive set of free rules that does an adequate job), consider an external waf (sucuri lists joomla support, and a quick search finds cloudflare services and sitelock; I've not used any of them). Look for the ones that are the most effective, not just the cheapest. And I do mean in addition - ie. use both a local waf and a "cloud" waf.

    Secure your php as much as you can, there are a few settings that help block common attack vectors (especially disabling commonly abused functions). I think you had another thread on disabling sendmail for php generally; you might change the sendmail binary to a script that collects info for you, so when a site is being abused for spam you get notified and can disable it.

    Of course keep your system OS updated, but also uninstall extra software and as many php modules as you can (start with uninstalling imagemagick, if installed). Uninstall/disable all services you don't absolutely need (memcache?), and firewall everything so only the required services are allowed (and restrict access to those where possible, eg. maybe you only need FTP from inside your company networks).

    Secure your web server config, there are a few things you can do beyond a default setup that are good practice (set HTTP security headers, etc.). Definitely make sure you keep ISPConfig's setup where each site runs as a different user; check file and directory permissions to ensure one compromised site can't access the files of other sites. Web searches (for "secure joomla apache" and similar) find lots of info, eg. https://docs.joomla.org/Security_Checklist/Hosting_and_Server_Setup

    If you're not already covered by your local waf, setup tools to monitor logs and block ips that are scanning/attacking. Fail2ban can do some of that, but take a look at crowdsec.net (a tool I just became aware of in the forums here) as a fail2ban replacement.

    Install scanners to search for malware in your website files. maldet uses clamav, it's free but you have to get extra signatures setup; it occasionally finds something on our servers, but also misses quite a bit. ISPProtect is a commercial option, and supports ISPConfig development; I've not used it. There are probably other options to find with a little searching.

    And last one (for now?), use a good network-level firewall that can block known offenders (there are numerous free block lists that are a good start, and commercial lists you can use for more timely/thorough updates. A basic IDS/IPS can be a layer here (though with "everything" moving to https, most of these have less visibility into HTTP, hence the need for local and cloud waf).
    Marcio Urakawa likes this.
  4. They are great tools, too bad I won't be able to pay for each site that way. The company is unlikely to accept payment either. If there was one that was a single license and a low value, I would pay it myself.
  5. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    well, the last one is £180, and you run it on your own joomla install and use that one to mange an unlimited number of joomla sites.
    only need to pay again if you want support or an update at any point after the first 12 months. would most likely get at least 2 or 3 years, maybe more out of it before some change somewhere definitely required a newer version.

    the mysites.guru one is £200/year for unlimited sites, both wordpress and joomla.

    i don't know what situation your companies in, but with the number of outdated sites you claim to have, they'd save that amount back in a week or two in the cost of wasted man hours manually updating a few sites, or cleaning an infected site.

Share This Page