How do I configure cxs to scan and quarantine suspicious files uploaded through php and cgi scripts using mod_security? Print

  • 89

You should be comfortable logging into ssh as root and running Linux commands to follow these instructions.

1. First ensure that mod_security is installed and enabled on your server.

2. Create your quarantine directory if you have not already done so. For example, create a directory called /home/quarantine/. Make sure to chmod it 1777.

mkdir /home/quarantine/
chmod 1777 /home/quarantine/

Note that your quarantine directory must be in a location with world write access. So for example, do not put it in a location that only root can read, like the /root/ directory. You could put it somewhere in /var/ or /usr/, if you don't want it in /home/.

3. Edit the file /usr/local/apache/conf/modsec2.user.conf and add the following two lines (at the top is fine):

SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
	"log,auditlog,deny,severity:2,id:'1010101'

(Note: The backslash (\) allows you to split a long command line onto two lines.)

4. Restart Apache and check for errors:

/scripts/restartsrv_httpd
tail -f /usr/local/apache/logs/error_log

5. Edit the file /etc/cxs/cxscgi.sh and modify the command line to suit your requirements. For example, to use the default cxs scan options and quarantine any suspicious files, if your quarantine directory is in /home/quarantine/, your command line in cxscgi.sh might look like this:

/usr/sbin/cxs --quiet --cgi --mail root \
     --quarantine /home/quarantine/ "$1"

(Note: The backslash (\) allows you to split a long command line onto two lines.)

If you want to only quarantine uploads that match specific scan options you can add --qoptions. If you add --qoptions, any file that matches any of the options you do NOT include in --qoptions but IS included in --options or the default options will trigger an alert email but will not be quarantined.

For example, this command line would quarantine fingerprint matches and viruses (these are the least likely to include false positives):

/usr/sbin/cxs --quiet --cgi --qoptions Mv --mail root \
     --quarantine /home/quarantine/ "$1"

Make sure that the email address set up as the root forwarder is a working and monitored email address, so you will receive the cxs alert emails.

Make sure that you have only one uncommented cxs command line in your cxscgi.sh file.


Was this answer helpful?
Back