Open Xunnamius opened 10 months ago
Points of interest (might make for decent defaults in installer script):
.htaccess
disabled by default at server and vhost level. OLS barely supports any Apache directives so they're essentially useless files anyway unless you're doing something specific (like LSCache). Enable .htaccess
(enable rewrites + enable auto load from .htaccess) for WordPress and other users of LSCache. Otherwise, if you need to do something complex/advanced, fall back to Nginx.sub_filter
to bring the external control panels into CP with a top bar containing the normal CP nav bar along with a "return to CP" link. I really like this approach, and it doesn't involve any messy iframes or anything like that.Another thing I've noticed:
CP should add disable_functions
to all php.ini settings by default and allow users to customize (perhaps via a table?) in the UI. Even with chrooted UDS and open_basedir
, it doesn't hurt to be paranoid here.
php_admin_value disable_functions phpinfo,openlog,syslog,posix_getpwuid,diskfreespace,dl,escapeshellarg,escapeshellcmd,exec,fpaththru,fsocket_open,getmypid,getmyuid,highlight_file,ini_alter,leak,limit,parse_ini_file,passthru,popen,posix,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getpwnam,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,system,tmpfile,virtual,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,shell_exec
* With help from socat if necessary
Candidates for socket-ification:
unix_socket
instead of mysql_native_password
or even ed25519
Also: shouldn't CP not use the root mariadb account? Take a page out of phpMyAdmin's book...
Also: WordPress installs should have access to stuff like /xmlrpc.php
disabled at the Nginx level, as well as /system/shared/nginx/directive-only/protect-wp-2fa.conf
and other scripts to prevent WordPress users from disabling important plugins (or is there an admin feature for this built into WordPress already? More research is required). Either way, these protections should be configurable by CP admins.
See also:
include /system/shared/nginx/location/disable-wpad.conf;
include /system/shared/nginx/location/protect-wordpress-xmlrpc.conf;
include /system/shared/nginx/location/protect-wordpress-upload-directory.conf;
Also: all generated passwords (like db user passwords) should be at least 32 characters long. Come on now, they're auto-generated anyway.
Similarly: stop using mysql_native_password
and start using unix_socket
. Where password access is unavoidable (i.e. phpMyAdmin frontend), use ed25519
.
No root powers for CyberPanel. Also, make sure CP keeps its hands off my postfix/dovecot configs.
wp-config.php
should not be left on the filesystem with the o+r permission.
Don't lockdown entire /var/spool/cron directory, other users should still be able to use their crontabs. Also, don't use crontab at all. Centralize crons into appropriate filesystem cron directories.
Do we need to run acme.sh as root? Combined with DNS alias mode, perhaps the acme.sh should have its own user and home dir to which it is limited/chrooted. Back to using certbot.
However privileges are escalated (hopefully cyberpanel isn't running as root all the time) can be used to restart nginx, postfix, etc.
Check out https://github.com/crowdsecurity/crowdsec. Integration opportunity?
Let's strip out any potentially vulnerable components, code, etc if they exist. Also add alerts and warnings about potentially insecure configurations and other detectable events. We don't want this happening, now do we?
Also, if any RSA keys are being used anywhere for anything, EC/ECDH keys should be used instead.
Also, does OLS need the custom larger (e.g. 4096) DH params, or are the "hardness" settings enough?
See also: https://github.com/Xunnamius/supreme.xunn.io/issues/26