Page 1 of 1
CXS and account suspend
Posted: 24 Jun 2010, 01:23
by freeman
I would like if is possible to have a option to automatically suspend an account when detect exploits or regall argument. Something like to append to the scanner like /scripts/suspendacct <username> .It doesn't matter if is a false positive. I can test for you the script with this option on my server if you want. It will help a lot. I had a user who tried to upload 900 times, can you imagine that?
Regards,
George B.
Posted: 04 Jul 2010, 16:32
by chirpy
We're going to look at providing an external script hook that cxs can call when it identifies a suspicious file. You can then code whatever actions you want in that external script. Bear in mind that the script will run under the context of the user account it is run, so if it's a web upload script, this will be the nobody user (ModSecurity) and won't have privileges to do much. FTP and manual scans run under root, so should not be an issue.
Posted: 08 Jul 2010, 00:32
by freeman
chirpy wrote:We're going to look at providing an external script hook that cxs can call when it identifies a suspicious file. You can then code whatever actions you want in that external script. Bear in mind that the script will run under the context of the user account it is run, so if it's a web upload script, this will be the nobody user (ModSecurity) and won't have privileges to do much. FTP and manual scans run under root, so should not be an issue.
Thanks for this great option but a question. How can I use a variable in my script with the line /scripts/suspendacct <username> to get the account name in my script.
I just wanted to tel you that I tried $1 $2 $3 $4 (4 is empty * file has option --all). That I wrote a small script I tested and it is ok. Maybe somebody else will use my script or maybe your suggest more simple:
#!/bin/sh
USR=`echo $1 | cut -d'/' -f3` #I am taking username from file line
if [ -e /var/cpanel/suspended/${USR} ] ; then
mail -s "Account ${USR} is already suspended!" root
else
/scripts/suspendacct ${USR}
mail -s "Account ${USR} was suspended because of [$3] !" root
fi
regards,
George B.
Posted: 26 Jul 2010, 09:17
by chirpy
Thank you for posting your example, it shows what you can do with the feature nicely.