Initial commit.
This commit is contained in:
151
cxs/install.txt
Normal file
151
cxs/install.txt
Normal file
@@ -0,0 +1,151 @@
|
||||
###############################################################################
|
||||
# Copyright 2009-2016, Way to the Web Limited
|
||||
# URL: http://www.configserver.com
|
||||
# Email: sales@waytotheweb.com
|
||||
###############################################################################
|
||||
|
||||
Installation
|
||||
============
|
||||
|
||||
1. Product installation:
|
||||
|
||||
wget http://download.configserver.com/cxsinstaller.tgz
|
||||
tar -xzf cxsinstaller.tgz
|
||||
perl cxsinstaller.pl
|
||||
rm -fv cxsinstaller.*
|
||||
|
||||
2. You should now read the cxs documentation either through:
|
||||
|
||||
1. The UI
|
||||
2. # perldoc cxs
|
||||
3. # cxs --help
|
||||
|
||||
If you decide to use the cxs Watch daemon you can skip items 3 to 5. Instead,
|
||||
read the documentation under the cxs Watch Daemon section on using this method.
|
||||
To install the required perl module for the cxs Watch daemon on a cPanel server
|
||||
you can use:
|
||||
|
||||
/scripts/perlinstaller Linux::Inotify2
|
||||
|
||||
3. You will want to modify the following files to suit your requirements after
|
||||
you have read the cxs documentation and studied the CLI option. These files
|
||||
can be changed at any time and contain the cxs commands and options you want
|
||||
to use for scanning files as they are uploaded:
|
||||
|
||||
The pure-ftpd upload scanner script that runs cxs:
|
||||
/etc/cxs/cxsftp.sh
|
||||
|
||||
The web script upload scanner script that runs cxs:
|
||||
/etc/cxs/cxscgi.sh
|
||||
|
||||
4. Web script upload scanning is performed via mod_security.
|
||||
|
||||
This can be enabled two ways:
|
||||
|
||||
a. Add the following two lines (be careful of line breaks) to your mod_security
|
||||
rules file (/usr/local/apache/conf/modsec2.user.conf on cPanel):
|
||||
|
||||
SecRequestBodyAccess On
|
||||
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
|
||||
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"
|
||||
SecUploadKeepFiles RelevantOnly
|
||||
SecTmpDir /tmp
|
||||
|
||||
If you allow the uploading of very large files, you may need to
|
||||
increase the default mod_security allowable size of 128MB by using the
|
||||
SecRequestBodyLimit directive after SecRequestBodyAccess:
|
||||
|
||||
SecRequestBodyLimit 134217728
|
||||
|
||||
This value is in bytes (134217728 = 128MB). You might also want to
|
||||
create the temporary files in a directory other than /tmp using:
|
||||
|
||||
SecTmpDir /path/to/dir
|
||||
|
||||
Where /path/to/dir is a directory where the large files can be
|
||||
temporarily stored and must be writable to by the nobody user
|
||||
|
||||
Then restart httpd
|
||||
|
||||
b. Use the inbuilt cPanel ModSecurity Vendor Rules mechanism by either:
|
||||
|
||||
1. WHM > ModSecurity Vendors > Add Vendor > Vendor Configuration URL
|
||||
|
||||
https://download.configserver.com/waf/meta_configserver.yaml
|
||||
|
||||
Save and then restart httpd
|
||||
|
||||
or
|
||||
|
||||
2. Issue the following commands:
|
||||
|
||||
/scripts/modsec_vendor add https://download.configserver.com/waf/meta_configserver.yaml
|
||||
/scripts/modsec_vendor enable configserver
|
||||
|
||||
Then restart httpd
|
||||
|
||||
You can have the ConfigServer Vendor enabled along with any other Vendor
|
||||
that you may already be using.
|
||||
|
||||
5. Pure-ftpd upload scanning requires you to edit the active pure-ftpd.conf
|
||||
(e.g. /etc/pure-ftpd.conf) and adding/modifying the line:
|
||||
|
||||
CallUploadScript yes
|
||||
|
||||
Note: Pure-ftpd must be compiled with --with-uploadscript option (usually
|
||||
done by default)
|
||||
|
||||
On Linux:
|
||||
Then restart pure-ftpd and pure-uploadscript. The installation process adds
|
||||
a new service in /etc/init.d/pure-uploadscript which runs as a daemon and
|
||||
passes ftp uploads to /etc/cxs/cxsftp.sh
|
||||
|
||||
On FreeBSD:
|
||||
Then add the following lines to /etc/rc.conf:
|
||||
|
||||
pureftpd_enable="YES"
|
||||
pureftpd_upload_enable="YES"
|
||||
pureftpd_uploadscript="/etc/cxs/cxsftp.sh"
|
||||
|
||||
Then restart pure-ftpd
|
||||
|
||||
6. ClamAV scanning requires a running clamd daemon. By default cxs will look
|
||||
for the clamd socket at /tmp/clamd and /var/clamd, if it is located
|
||||
elsewhere then you must use the --clamdsock option and pass the socket
|
||||
location in every cxs call (i.e. in cxsftp.sh, cxscgi.sh and the cxs CLI) or
|
||||
use a cxs.defaults file.
|
||||
|
||||
7. If you want automatic updates then use the following as an example:
|
||||
|
||||
ln -s /etc/cxs/cxsdaily.sh /etc/cron.daily/
|
||||
|
||||
8. You can test ModSecurity upload checks by running the following command
|
||||
which will trigger the cxs ModSecurity rule if correctly configured:
|
||||
|
||||
curl -F "file=@/etc/cxs/test/testexploit.php" 127.0.0.1
|
||||
|
||||
To test FTP uploads, download /etc/cxs/test/testexploit.php and then upload
|
||||
using ftp.
|
||||
|
||||
9. See the RECOMMENDATIONS in the cxs POD documentation
|
||||
|
||||
|
||||
Webmin Module Installation/Upgrade (not yet implemented)
|
||||
==================================
|
||||
|
||||
To install or upgrade the cxs webmin module:
|
||||
|
||||
Install cxs as above
|
||||
Install the cxs webmin module in:
|
||||
Webmin > Webmin Configuration > Webmin Modules >
|
||||
From local file > /etc/cxs/cxswebmin.tgz > Install Module
|
||||
|
||||
|
||||
Uninstallation
|
||||
==============
|
||||
|
||||
Reverse items 4, 5 and 7 above, then:
|
||||
|
||||
cd /etc/cxs
|
||||
sh uninstall.sh
|
||||
cd /root
|
||||
Reference in New Issue
Block a user