title

Blog of René Jochum

Blogging about Programming, Security, Linux, Networking and Web Apps.

Syscp to Foxlor move on Ubuntu 12.10 with high security.


Today i switched our (mine and my uncles) WebServer from

  • SysCP (modified by me), apache2, apache2-mpm-itk, libapache2-mod-php5, proftpd

To:

  • Froxlor (git master), nginx, php5-fpm, vsftpd (with libpam-mysql and libnss-mysql-bg)

I had nginx with php5-fpm running as second install, i also have it running on a high volume website. It's a dream!

This is a shared web Server so i tought a lot about its security (which we had before by mpm-itk).

The main thing to think about was PHP, there are a lot bugs in PHP written Software and "crackers"

love to hack PHP Sites.

The Solution for this was for us to run one php5-fpm for every customer, froxlor makes it easy to do so.

First replace ProFTPd with vsftpd with libpam-mysql ( libpam-ldap for a bug ), stolen here.

apt-get install vsftpd libpam-mysql libpam-ldap

Replace /etc/pam.d/vsftpd (still with the syscp backend):

auth     required       pam_mysql.so user=syscp passwd=<YOUR_MYSQL-SYSCP_PASSWORD> host=localhost db=syscp table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1 verbose=1
account  required       pam_mysql.so user=syscp passwd=<YOUR_MYSQL-SYSCP_PASSWORD> host=localhost db=syscp table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1 verbose=1`

Replace /etc/vsftpd.conf:

listen=YES

dual_log_enable=YES
log_ftp_protocol=YES
xferlog_enable=YES

anonymous_enable=NO
local_enable=YES
check_shell=NO

virtual_use_local_privs=YES

connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd

guest_username=www-data
guest_enable=NO
chroot_local_user=YES
hide_ids=YES

write_enable=YES
use_localtime=YES
local_umask=022
dirmessage_enable=YES

# local_root=/var/kunden/webs/$USER
# See: http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/
# allow_writeable_chroot=YES

user_sub_token=$USER
nopriv_user=www-data

Restart vsftpd:

/etc/init.d/vsftpd restart

Test it with your local ftp client.

Install Froxlor

apt-get install git
cd /var/kunden/webs/Server
git clone https://github.com/Froxlor/Froxlor webadmin.<yourdomain.com>

Create /etc/nginx/sites-available/webadmin. ( i have the “upstream” php5-fpm defined somewhere else ).

server {
    listen           <your_ip>:80;
    server_name     webadmin.<yourdomain.com>;

    root    /var/kunden/webs/Server/webadmin.<yourdomain.com>;
    index    index.html index.php;

    charset utf-8;

    location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xls)$ {
        access_log        off;
        expires           30d;
    }

    location / {
        rewrite ^(.*)$ /index.php$1 last;
    }

    location ~ "^(.+\.php)(.*)$" {
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        fastcgi_pass   php5-fpm;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

Enable the config, test it and restart nginx.

ln -s /etc/nginx/sites-available/webadmin.<yourdomain.com> /etc/nginx/sites-enabled/001-webadmin.<yourdomain.com>
nginx -t
/etc/init.d/nginx restart

See this guide on howto upgrade from syscp to froxlor:

(i did it my way tm - installed froxlor, then i replaced the db with the one from syscp)

Now go to http://webadmin.yourdomain.com and migrate the syscp data,

after the migration you should configure the webserver to nginx.

Froxlor - nginx settings:

[![froxlor-nginx-settings](http://rene.jochums.at/wp-content/uploads/2013/01/froxlor-nginx-settings-300x161.jpg)](http://rene.jochums.at/wp-content/uploads/2013/01/froxlor-nginx-settings.jpg)

Froxlor - phpfpm settings:

[![froxlor-phpfpm-settings](http://rene.jochums.at/wp-content/uploads/2013/01/froxlor-phpfpm-settings-300x137.jpg)](http://rene.jochums.at/wp-content/uploads/2013/01/froxlor-phpfpm-settings.jpg)

Run cron_tasks.php for the first time and check its output for errors:

/usr/bin/php -q /var/kunden/webs/Server/webadmin.<your-domain.com>/scripts/cron_tasks.php

Create a new MySQL user "vsftpd" and give him

SELECT rights on the tables **froxlor.ftp_users**,** froxlor.ftp_groups**

Replace /etc/pam.d/vsftpd again (now with the froxlor backend)

`auth     required       pam_mysql.so user=vsftpd passwd= host=localhost db=froxlor table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1
account  required       pam_mysql.so user=vsftpd passwd= host=localhost db=froxlor table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1`

Restart vsftpd:

/etc/init.d/vsftpd restart

Test with your local ftp client.

Can’t remember why but i had to replace libnss-mysql with libnss-mysql-bg

This is the config /etc/libnss-mysql.cfg for it if you need it.

getpwnam    SELECT username,'x',uid,gid,'MySQL User',homedir,shell \
FROM ftp_users \
WHERE username='%1$s' \
ORDER BY id ASC \
LIMIT 1

getpwuid    SELECT username,'x',uid,gid,'MySQL User',homedir,shell \
FROM ftp_users \
WHERE uid='%1$u' \
ORDER BY id ASC
LIMIT 1

getspnam    SELECT username,password,'1','0','99999','0','0','-1','0' \
FROM ftp_users \
WHERE username='%1$s' \
ORDER BY id ASC
LIMIT 1

getpwent    SELECT username,'x',uid,gid,'MySQL User',homedir,shell \
FROM ftp_users

getspent    SELECT username,password,'1','0','99999','0','0','-1','0' \
FROM ftp_users

getgrnam    SELECT groupname,'empty',gid \
FROM ftp_groups \
WHERE groupname='%1$s' \
LIMIT 1

getgrgid    SELECT groupname,'empty',gid \
FROM ftp_groups \
WHERE gid='%1$u' \
LIMIT 1

getgrent    SELECT groupname,'empty',gid \
FROM ftp_groups

memsbygid   SELECT members \
FROM ftp_groups \
WHERE gid='%1$u'

gidsbymem   SELECT gid \
FROM ftp_groups \
WHERE groupname='%1$s'

host        localhost
database    vsftpd
username    vsftpd
password    <your-vsftpd-pass-here>

/etc/libnss-mysql-root.cfg

username    vsftpd password    <your-vsftpd-pass-here>