{"id":1024,"date":"2015-08-03T00:23:51","date_gmt":"2015-08-03T05:23:51","guid":{"rendered":"https:\/\/hostease.com\/blog\/?p=1024"},"modified":"2024-11-27T02:25:12","modified_gmt":"2024-11-27T07:25:12","slug":"cxs-for-cpanel","status":"publish","type":"post","link":"https:\/\/www.hostease.com\/blog\/cpanel\/cxs-for-cpanel\/","title":{"rendered":"CXS for cPanel"},"content":{"rendered":"<p>Installation<br \/>\n============<\/p>\n<p>1. Product installation:<\/p>\n<p>wget http:\/\/download.configserver.com\/cxsinstaller.tgz<br \/>\ntar -xzf cxsinstaller.tgz<br \/>\nperl cxsinstaller.pl<br \/>\nrm -fv cxsinstaller.*<\/p>\n<p>2. You should now read the cxs documentation either through:<\/p>\n<p>1. The UI<br \/>\n2. # perldoc cxs<br \/>\n3. # cxs &#8211;help<\/p>\n<p>If you decide to use the cxs Watch daemon you can skip items 3 to 5. Instead,<br \/>\nread the documentation under the cxs Watch Daemon section on using this method.<br \/>\nTo install the required perl module for the cxs Watch daemon on a cPanel server<br \/>\nyou can use:<\/p>\n<p>\/scripts\/perlinstaller Linux::Inotify2<\/p>\n<p>3. You will want to modify the following files to suit your requirements after<br \/>\nyou have read the cxs documentation and studied the CLI option. These files<br \/>\ncan be changed at any time and contain the cxs commands and options you want<br \/>\nto use for scanning files as they are uploaded:<\/p>\n<p>The pure-ftpd upload scanner script that runs cxs:<br \/>\n\/etc\/cxs\/cxsftp.sh<\/p>\n<p>The web script upload scanner script that runs cxs:<br \/>\n\/etc\/cxs\/cxscgi.sh<\/p>\n<p>4. Web script upload scanning is performed via mod_security.<\/p>\n<p>This can be enabled two ways:<\/p>\n<p>a. Add the following two lines (be careful of line breaks) to your mod_security<br \/>\nrules file (\/usr\/local\/apache\/conf\/modsec2.user.conf on cPanel):<\/p>\n<p>SecRequestBodyAccess On<br \/>\nSecRule FILES_TMPNAMES &#8220;@inspectFile \/etc\/cxs\/cxscgi.sh&#8221; \\<br \/>\n&#8220;log,auditlog,deny,severity:2,phase:2,t:none,id:&#8217;1010101&#8242;&#8221;<br \/>\nSecUploadKeepFiles RelevantOnly<br \/>\nSecTmpDir \/tmp<\/p>\n<p>If you allow the uploading of very large files, you may need to<br \/>\nincrease the default mod_security allowable size of 128MB by using the<br \/>\nSecRequestBodyLimit directive after SecRequestBodyAccess:<\/p>\n<p>SecRequestBodyLimit 134217728<\/p>\n<p>This value is in bytes (134217728 = 128MB). You might also want to<br \/>\ncreate the temporary files in a directory other than \/tmp using:<\/p>\n<p>SecTmpDir \/path\/to\/dir<\/p>\n<p>Where \/path\/to\/dir is a directory where the large files can be<br \/>\ntemporarily stored and must be writable to by the nobody user<\/p>\n<p>Then restart httpd<\/p>\n<p>b. Use the inbuilt cPanel ModSecurity Vendor Rules mechanism by either:<\/p>\n<p>1. WHM &gt; ModSecurity Vendors &gt; Add Vendor &gt; Vendor Configuration URL<\/p>\n<p>https:\/\/download.configserver.com\/waf\/meta_configserver.yaml<\/p>\n<p>Save and then restart httpd<\/p>\n<p>or<\/p>\n<p>2. Issue the following commands:<\/p>\n<p>\/scripts\/modsec_vendor add https:\/\/download.configserver.com\/waf\/meta_configserver.yaml<br \/>\n\/scripts\/modsec_vendor enable configserver<\/p>\n<p>Then restart httpd<\/p>\n<p>You can have the ConfigServer Vendor enabled along with any other Vendor<br \/>\nthat you may already be using.<\/p>\n<p>5. Pure-ftpd upload scanning requires you to edit the active pure-ftpd.conf<br \/>\n(e.g. \/etc\/pure-ftpd.conf) and adding\/modifying the line:<\/p>\n<p>CallUploadScript yes<\/p>\n<p>Note: Pure-ftpd must be compiled with &#8211;with-uploadscript option (usually<br \/>\ndone by default)<\/p>\n<p>On Linux:<br \/>\nThen restart pure-ftpd and pure-uploadscript. The installation process adds<br \/>\na new service in \/etc\/init.d\/pure-uploadscript which runs as a daemon and<br \/>\npasses ftp uploads to \/etc\/cxs\/cxsftp.sh<\/p>\n<p>On FreeBSD:<br \/>\nThen add the following lines to \/etc\/rc.conf:<\/p>\n<p>pureftpd_enable=&#8221;YES&#8221;<br \/>\npureftpd_upload_enable=&#8221;YES&#8221;<br \/>\npureftpd_uploadscript=&#8221;\/etc\/cxs\/cxsftp.sh&#8221;<\/p>\n<p>Then restart pure-ftpd<\/p>\n<p>6. ClamAV scanning requires a running clamd daemon. By default cxs will look<br \/>\nfor the clamd socket at \/tmp\/clamd and \/var\/clamd, if it is located<br \/>\nelsewhere then you must use the &#8211;clamdsock option and pass the socket<br \/>\nlocation in every cxs call (i.e. in cxsftp.sh, cxscgi.sh and the cxs CLI) or<br \/>\nuse a cxs.defaults file.<\/p>\n<p>7. If you want automatic updates then use the following as an example:<\/p>\n<p>ln -s \/etc\/cxs\/cxsdaily.sh \/etc\/cron.daily\/<\/p>\n<p>8. You can test both Perl CGI and PHP upload checks by copying the files<br \/>\n\/etc\/cxs\/test.* to an empty test directory within a web site on the server<br \/>\n(set the file permissions and ownership correctly).<\/p>\n<p>First upload a normal file to check the uploads work.<\/p>\n<p>Then try uploading the exploit file from \/etc\/cxs\/test\/udp.pl which should<br \/>\ntrigger whatever settings you have configured in \/etc\/cxs\/cxscgi.sh<\/p>\n<p>You can also upload \/etc\/cxs\/test\/udp.pl via FTP which should trigger<br \/>\nwhatever settings you have configured in \/etc\/cxs\/cxsftp.sh<\/p>\n<p>NOTE: Remove the test scripts from the web site after testing as the test<br \/>\nscripts are NOT secure.<\/p>\n<p>9. See the RECOMMENDATIONS in the cxs POD documentation<\/p>\n<p>Webmin Module Installation\/Upgrade (not yet implemented)<br \/>\n==================================<\/p>\n<p>To install or upgrade the cxs webmin module:<\/p>\n<p>Install cxs as above<br \/>\nInstall the cxs webmin module in:<br \/>\nWebmin &gt; Webmin Configuration &gt; Webmin Modules &gt;<br \/>\nFrom local file &gt; \/etc\/cxs\/cxswebmin.tgz &gt; Install Module<\/p>\n<p>Uninstallation<br \/>\n==============<\/p>\n<p>Reverse items 4, 5 and 7 above, then:<\/p>\n<p>cd \/etc\/cxs<br \/>\nsh uninstall.sh<br \/>\ncd \/root<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn how to install and configure CXS (ConfigServer eXploit Scanner) in cPanel to enhance server security. Step-by-step instructions for FTP and web upload scanning, ModSecurity setup, and ClamAV integration.<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[89],"tags":[508,509,452],"class_list":["post-1024","post","type-post","status-publish","format-standard","hentry","category-cpanel","tag-configserver","tag-cxs-installation","tag-server-security"],"aioseo_notices":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.hostease.com\/blog\/wp-json\/wp\/v2\/posts\/1024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hostease.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hostease.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hostease.com\/blog\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hostease.com\/blog\/wp-json\/wp\/v2\/comments?post=1024"}],"version-history":[{"count":1,"href":"https:\/\/www.hostease.com\/blog\/wp-json\/wp\/v2\/posts\/1024\/revisions"}],"predecessor-version":[{"id":2134,"href":"https:\/\/www.hostease.com\/blog\/wp-json\/wp\/v2\/posts\/1024\/revisions\/2134"}],"wp:attachment":[{"href":"https:\/\/www.hostease.com\/blog\/wp-json\/wp\/v2\/media?parent=1024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hostease.com\/blog\/wp-json\/wp\/v2\/categories?post=1024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hostease.com\/blog\/wp-json\/wp\/v2\/tags?post=1024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}