Better process tracking using suPHP
The article explains suPHP and setting up suPHP on cPanel servers.
Constant Phishing/Spamming complaints can get extremely tiresome, and tracking down the source of the problem is not always easy. It wont be long before your IP addresses are listed on popular RBLs and your customers start complaining about mail delivery problems. To nip these problems in the bud, we have to look for better ways to track down the source of these problems. One way of better tracking processes on a cPanel server is switching to suPHP.
On a server that is running PHP as a DSO module, all PHP pages/scripts are executed with the permissions of the same user as the Apache web server. Two commonly used users are “apache” and “nobody”. On a shared hosting server this is a problem because all accounts on the server will have their PHP scripts executed by this same user. So if a malicious file/script is uploaded to say, the “/tmp” folder in the server, it will be impossible to track down which account was used to upload this file. This is where suPHP can help.
Once suPHP is enabled:
1. All the PHP scripts will run under the ownership of the user who owns the script.
2. The PHP scripts will be allowed a maximum of 644 permission.
3. PHP scripts will only work in folders that have a maximum of 755 permission.
With cPanel we can switch to suPHP in 8 simple steps. It is recommended to do this during off peak hours as it involves recompiling of Apache/PHP. This means the sites will be unavailable for some time, but not more than 30 minutes.
1. Data to be collected – Before the switch
a) Find the current PHP configuration on the server.
# /usr/local/cpanel/bin/rebuild_phpconf –current
b) Number of domains – This is to get an idea of the estimated time of completion. The more domains you have, the longer it will take for the switch to be completed.
c) Check the current PHP configuration to find modules currently enabled in PHP, so you will know if any of them are missing after the switch.
# php -i | grep configure
d) Apache version
2. Run easyapache script – /scripts/easyapache
After recompilation make sure that all required modules are enabled on the server.
3. Correct the permissions of all files/folders inside /home
Once suPHP is enabled, PHP scripts with permissions greater than 644 will throw a “500 Internal Server Error”, same is the case for any PHP script inside a folder with permissions greater than 755. So once suPHP has been enabled you must make sure that:
a)All PHP scripts have permissions of 644 and below.
b)All folders with PHP scripts should have permissions of 755 and below.
4. Remove PHP variables from .htaccess
When PHP is running as a DSO, PHP variables can be changed by using the “.htaccess” file. Once you switch to suPHP this is no longer applicable. All settings will have to changed using a php.ini file in the corresponding folder. Not only that, if you leave the values in the “.htaccess” file PHP will not work in those folders. So you must check each to make sure no PHP variables are set in them.
5. Change PHP handler to suPHP
This can be done via WHM at:
Main >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration
You can select which version of PHP you wish to run as suPHP. If you have both PHP4 and PHP5 on your server, it is recommended you set them both to suPHP, but you can chose various combinations of suPHP, DSO and CGI.
6. Copy /usr/local/lib/php.ini to individual domains.
Manually make necessary modifications to PHP variables in the php.ini of each domain. You can write a bash script to do this if you have many domains.
7. Set the suPHP_ConfigPath
To set this enter the following line in a “.htaccess” file:
Once this is set, the php.ini file in the folder /home/username/public_html will be effective for all sub folders too. So this will be useful if you have to make the PHP settings effective on all folders of the domain.
8. Check the Apache error logs
If there are still permission and ownership issues, you will see errors like ‘Premature script Headers”. Locate the file and correct its permissions, or the folder in which it is located.
Congratulations! Your server will now be running suPHP and all domain folders/files should have the correct permissions/ownership.
An easy way to get alerts when a particular user is abusing server resources would be to install CSF. CSF can be configured to send alerts to your desired email address. More details are available here.
I personally recommend suPHP+csf for better management of servers 🙂
About the author:
Sijin A. George works as Sr. Software Engineer at Bobcares.com. She has been with Bobcares for 6 years and specializes on Linux/Windows server administration. During her free time she loves to spend time with her daughter.