I would like if is possible to have a option to automatically suspend an account when detect exploits or regall argument. Something like to append to the scanner like /scripts/suspendacct <username> .It doesn't matter if is a false positive. I can test for you the script with this option on my server if you want. It will help a lot. I had a user who tried to upload 900 times, can you imagine that?
Regards,
George B.
CXS and account suspend
We're going to look at providing an external script hook that cxs can call when it identifies a suspicious file. You can then code whatever actions you want in that external script. Bear in mind that the script will run under the context of the user account it is run, so if it's a web upload script, this will be the nobody user (ModSecurity) and won't have privileges to do much. FTP and manual scans run under root, so should not be an issue.
Thanks for this great option but a question. How can I use a variable in my script with the line /scripts/suspendacct <username> to get the account name in my script.chirpy wrote:We're going to look at providing an external script hook that cxs can call when it identifies a suspicious file. You can then code whatever actions you want in that external script. Bear in mind that the script will run under the context of the user account it is run, so if it's a web upload script, this will be the nobody user (ModSecurity) and won't have privileges to do much. FTP and manual scans run under root, so should not be an issue.
I just wanted to tel you that I tried $1 $2 $3 $4 (4 is empty * file has option --all). That I wrote a small script I tested and it is ok. Maybe somebody else will use my script or maybe your suggest more simple:
#!/bin/sh
USR=`echo $1 | cut -d'/' -f3` #I am taking username from file line
if [ -e /var/cpanel/suspended/${USR} ] ; then
mail -s "Account ${USR} is already suspended!" root
else
/scripts/suspendacct ${USR}
mail -s "Account ${USR} was suspended because of [$3] !" root
fi
regards,
George B.