Informal security audit

[Xunnamius]

Let's strip out any potentially vulnerable components, code, etc if they exist. Also add alerts and warnings about potentially insecure configurations and other detectable events. We don't want this happening, now do we?

Also, if any RSA keys are being used anywhere for anything, EC/ECDH keys should be used instead.

Also, does OLS need the custom larger (e.g. 4096) DH params, or are the "hardness" settings enough?

See also: https://github.com/Xunnamius/supreme.xunn.io/issues/26

[Xunnamius]

Points of interest (might make for decent defaults in installer script):

• [Server Configuration > Security > File Access] No follow symlinks and Yes force strict ownership.
• [Server Configuration > Security > Access Denied Directories] Add additional directories
• Restrict all reverse proxy stuff to localhost ipv4 and ipv6
• .htaccess disabled by default at server and vhost level. OLS barely supports any Apache directives so they're essentially useless files anyway unless you're doing something specific (like LSCache). Enable .htaccess (enable rewrites + enable auto load from .htaccess) for WordPress and other users of LSCache. Otherwise, if you need to do something complex/advanced, fall back to Nginx.
• None of the control panels should be reachable from the internet, though there should be the option to expose CP itself (but certainly none of the others). So then how do we reach them? Two options:
  • The automated (default, integrated, most optimal) approach. Use Nginx sub_filter to bring the external control panels into CP with a top bar containing the normal CP nav bar along with a "return to CP" link. I really like this approach, and it doesn't involve any messy iframes or anything like that.
  • The manual (fallback, involved, suboptimal) approach. This (or this) + this, which is what I'm using right now.

[Xunnamius]

Another thing I've noticed:

CP should add disable_functions to all php.ini settings by default and allow users to customize (perhaps via a table?) in the UI. Even with chrooted UDS and open_basedir, it doesn't hurt to be paranoid here.

php_admin_value disable_functions phpinfo,openlog,syslog,posix_getpwuid,diskfreespace,dl,escapeshellarg,escapeshellcmd,exec,fpaththru,fsocket_open,getmypid,getmyuid,highlight_file,ini_alter,leak,limit,parse_ini_file,passthru,popen,posix,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getpwnam,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,system,tmpfile,virtual,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,shell_exec

[Xunnamius]

See also: https://github.com/Xunnamius/supreme/issues/43

[Xunnamius]

^{* With help from socat if necessary}

Candidates for socket-ification:

• MySQL/MariaDB <-> OLS
• MySQL/MariaDB users using unix_socket instead of mysql_native_password or even ed25519
• Nginx <-> OLS
• Maybe BDPA reverse proxies if socat+ssh can handle that (low priority)

[Xunnamius]

Also: shouldn't CP not use the root mariadb account? Take a page out of phpMyAdmin's book...

[Xunnamius]

Also: WordPress installs should have access to stuff like /xmlrpc.php disabled at the Nginx level, as well as /system/shared/nginx/directive-only/protect-wp-2fa.conf and other scripts to prevent WordPress users from disabling important plugins (or is there an admin feature for this built into WordPress already? More research is required). Either way, these protections should be configurable by CP admins.

See also:

    include /system/shared/nginx/location/disable-wpad.conf;
    include /system/shared/nginx/location/protect-wordpress-xmlrpc.conf;
    include /system/shared/nginx/location/protect-wordpress-upload-directory.conf;

[Xunnamius]

Also: all generated passwords (like db user passwords) should be at least 32 characters long. Come on now, they're auto-generated anyway.

Similarly: stop using mysql_native_password and start using unix_socket. Where password access is unavoidable (i.e. phpMyAdmin frontend), use ed25519.

[Xunnamius]

No root powers for CyberPanel. Also, make sure CP keeps its hands off my postfix/dovecot configs.

[Xunnamius]

wp-config.php should not be left on the filesystem with the o+r permission.

[Xunnamius]

Don't lockdown entire /var/spool/cron directory, other users should still be able to use their crontabs. Also, don't use crontab at all. Centralize crons into appropriate filesystem cron directories.

[Xunnamius]

Do we need to run acme.sh as root? Combined with DNS alias mode, perhaps the acme.sh should have its own user and home dir to which it is limited/chrooted. Back to using certbot.

However privileges are escalated (hopefully cyberpanel isn't running as root all the time) can be used to restart nginx, postfix, etc.

[Xunnamius]

Check out https://github.com/crowdsecurity/crowdsec. Integration opportunity?