Ispconfig protect servers against CTB-Locker

Discussion in 'General' started by andresgt2000, Feb 29, 2016.

  1. andresgt2000

    andresgt2000 Member

    Hi everyone

    I want to know if apart of backup and modsecurity, exist other options to protect the websites from CTB-Locker, maybe disable some php commands in the sites or lock web directory against write and only with a sftp session could enable write permissions or something like that.

    I know that the infection happen for vulnerable word-press site but many of or clients create the site and forgot of the security maintenance and update the CMS.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    If you would chown all website files and folders of a website to root + mode 755, then this would protect you from the crypto locker but it will also prevent that the customer can update his cms, that he can install plugins or upload images to his blog etc. So I guess your customers won't like it.

    Check that the backup system is working, make a newsletter to your customers and remind them that they update their cms.
  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    An external firewall is a layer, something with an IDS, blocking known compromised hosts and such.

    Just thinking out loud, if is accurate, maybe you could create a bogus ./extensions.txt file, and maybe /crypt/ directory (or Crypt as seen in another post), and make them immutable, or root owned or such, it might help at the moment. But that's just till the script logic changes of course, so a quite short lived thing, if it does anything at all.

    This might be a terrible idea, but those come cheaply :), so: write an ispconfig interface module ( with a brief message explaining to customers that their websites can be set to updatable mode or not, and a checkbox for each of their domains to do so. Set all websites to "not updatable" and make them root owned. Then run a cronjob to see if that updatable checkbox has changed status - if it has, change permissions on the website (to root or to the web user as needed). Maybe you'd need an exclusion list for each website, to not change ownership (eg. cache and other working/temp directories). Not a huge project, and would necessarily be disruptive to some sites/workflows, but would help a lot of them and give everyone a handle to turn on/off.

Share This Page