Config Server Exploit Scanner

This article will describe installation process of Exploit Scanner

Installation
============

1. Product installation:

2.You can read the Config server Exploit Scanner documentation either through:

3.You will want to modify the following files to suit your requirements after
you have read the cxs documentation and studied the CLI option. These files
can be changed at any time and contain the cxs commands and options you want
to use for scanning files as they are uploaded:

The pure-ftpd upload scanner script that runs cxs:

The web script upload scanner script that runs cxs:

4.Web script upload scanning is performed via mod_security. To enable this add
the following two lines (be careful of line breaks) to your mod_security
rules file (/usr/local/apache/conf/modsec2.user.conf on cPanel):

If you allow the uploading of very large files, you may need to
increase the default mod_security allowable size of 128MB by using the
SecRequestBodyLimit directive after SecRequestBodyAccess:

This value is in bytes (134217728 = 128MB). You might also want to
create the temporary files in a directory other than /tmp using:

SecTmpDir /path/to/dir

Where /path/to/dir is a directory where the large files can be
temporarily stored and must be writable to by the nobody user

Then restart httpd

As an alternative to using mod_security you can use suhosin for PHP web
script scanning ONLY (i.e. will not scan other types of web script), by
editing the active php.ini file (e.g. /usr/local/lib/php.ini) and after the
suhosin.so module is loaded add:

suhosin.upload.verification_script = “/etc/cxs/cxscgi.sh”

Then restart httpd

Note: Do NOT use both mod_security and suhosin scanning together as you will
scan each file upload twice

5.Pure-ftpd upload scanning requires you to edit the active pure-ftpd.conf
(e.g. /etc/pure-ftpd.conf) and adding/modifying the line:

Note: Pure-ftpd must be compiled with –with-uploadscript option (usually
done by default)

Then restart pure-ftpd and pure-uploadscript. The installation process adds
a new service in /etc/init.d/pure-uploadscript which runs as a daemon and
passes ftp uploads to /etc/cxs/cxsftp.sh

6.ClamAV scanning requires a running clamd daemon. By default cxs will look
for the clamd socket at /tmp/clamd and /var/clamd, if it is located
elsewhere then you must use the –clamdsock option and pass the socket
location in every cxs call (i.e. in cxsftp.sh, cxscgi.sh and the cxs CLI) or
use a cxs.defaults file.

7. If you want automatic updates then add the following to the root crontab or
via the cxs UI:

8. You can test both Perl CGI and PHP upload checks by copying the files
/etc/cxs/test.* to an empty test directory within a web site on the server
(set the file permissions and ownership correctly).

First upload a normal file to check the uploads work.

Then try uploading the exploit file from /etc/cxs/test/udp.pl which should
trigger whatever settings you have configured in /etc/cxs/cxscgi.sh

You can also upload /etc/cxs/test/udp.pl via FTP which should trigger
whatever settings you have configured in /etc/cxs/cxsftp.sh

NOTE: Remove the test scripts from the web site after testing as the test
scripts are NOT secure.

Webmin Module Installation/Upgrade (not yet implemented)
==================================

To install or upgrade the cxs webmin module:

Install cxs as above
Install the cxs webmin module in:
Webmin > Webmin Configuration > Webmin Modules >
From local file > /etc/cxs/cxswebmin.tgz > Install Module

Uninstallation
==============

Reverse items 4 and 5. above, then: