Dear, we have seen a couple of wordpress hacked by the infamous anonymousfox defacer: https://www.brightvessel.com/anonymous-fox-wordpress-5-5-hack-should-i-be-concerned/ https://patchstack.com/wordpress-vulnerability/ On one of them for some reason was be able to grab the passwd file of the server, i suppose uploading and using a custom php.ini file with openbasedir disable. Also the configuration was already did in order to avoid the ability for the user to upload a custom php.ini file (user_ini.filename = set at empty in php.ini). Any other clue on stuff that i can verify? We are in deb 10.6 and php 7.4(fast-cgi) environment ty
Upgrade to latest Debian GNU/Linux 10.x, my system is at 10.10 now. Most of the updates for Debian Stable release are security fixes or fixes for serious bugs. On Debian 10 ISPConfig is supposed to support PHP 7.3. Are you really on 7.4? The websites can run 7.4, that is OK but the system PHP must remain the Debian 10 default.
Yes, php 7.4 is installed on the server as additional php. And the vhost hacked run on that php. The system php is 7.3 as deb 10 default. Upgrade to the latest deb is fine, but sounds a little bit generic. Due that stuff seems to be really a php related stuff. ty
There are several things that you can do to further protect the system: 1) Disable the various exec functions for php-fpm globally or by website. 2) Switch from php-fcgi to php-fpm and enable PHP chroot. Be aware that you must configure PHP to ensure that the PHP caches don't mix up sites: https://www.howtoforge.com/community/threads/serving-wrong-website-sporadically.86962/
switching from fcgi to fpm is a generic improvement, or there is specific security threat on fcgi (also if used with openbasedir as perfect server configure it)? because fcgi is used very often.
php-fpm is the successor of php-FastCGI. Using FastCGI is generally fine and not a security issue, but it makes no sense to favor this older technology. New servers and new sites on older systems should use php-fpm today and even older sites should be switched over step by step. And you can't use the chrooting feature in FastCGI mode.
ok i'll give a try on that way. the only things not clear is about the opcache problem for fpm. I can set opcache.validate_root = 1 in opcache.ini in order to configure globally for any host with fpm on that server? ty
That's probably ok. You should check it with phpinfo() in a website where you enabled chroot for php-fpm though. if it does not work, then try enabling it in php.ini instead.