Jailkit and malicious PHP shell

Discussion in 'General' started by psyray, Aug 16, 2021.

  1. psyray

    psyray New Member

    Hi,
    I have a little question about security in ISPconfig.
    There is a jailkit configuration for shell user, right it's a good system and it's working.
    But what if a malicious ssh user, which is stucked into jailkit, uploads a PHP shell like p0wnyShell in the web directory, then access this file ?
    I've tested and when you access the PHP file from a browser you have access to all the server, so jailkit can be bypass in 1 second.

    Is this a bad configuration in my ISPConfig setup or is this normal ?
    I don't have really search deeper, I ask question because I just realized
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's normal as the PHP daemon is not chrooted by default. Enable php-fpm chroot in the website options to run php-fpm chrooted as well. But be aware that this might require adjustments in the config of the website cms that you run, you must e.g. use 127.0.0.1 instead of localhost to connect to a MySQL database in this case.
     
    ahrasis likes this.
  3. psyray

    psyray New Member

    Thanks @till for your quick and valuable response ;)
     
  4. psyray

    psyray New Member

    And also all path set in the configuration file of the CMS has to be relative to chroot isn't it ?
    for example :
    /var/www/clients/client1/web1/web becomes /web
     
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Correct.

    Also you need to set validate_root in your php-fpm config.
     
    ahrasis and till like this.
  6. psyray

    psyray New Member

    Thanks, I will change my opcache config.
    And last but not least, the open_basedir path need to be adjusted by hand in the vhost configuration admin of ISPconfig ?
    After I enable php-chroot path are always /var/www/clients....
    Do you think of others settings ?
     
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    No, open_basedir is rewritten correctly when switching to/from chroot mode.
    What paths? I just verified again on a 3.2.25 box that the only instance of "/var/www/clients" in the php-fpm config file is to set the chroot path.
     
  8. psyray

    psyray New Member

    Those in the admin configuration of the vhost, in the options tab where you set the chroot for PHP
     
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    PHP open_basedir gets rewritten correctly, I don't know about php directives offhand.
     
  10. psyray

    psyray New Member

    Those ones (as you said, seems to be only in the form, in the pool.d/web32 open_basedir directives are correct)
    [​IMG]
     

Share This Page