CXS and account suspend

Post Reply
freeman
Junior Member
Posts: 35
Joined: 11 Dec 2006, 01:00

CXS and account suspend

Post by freeman »

I would like if is possible to have a option to automatically suspend an account when detect exploits or regall argument. Something like to append to the scanner like /scripts/suspendacct <username> .It doesn't matter if is a false positive. I can test for you the script with this option on my server if you want. It will help a lot. I had a user who tried to upload 900 times, can you imagine that?

Regards,
George B.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

We're going to look at providing an external script hook that cxs can call when it identifies a suspicious file. You can then code whatever actions you want in that external script. Bear in mind that the script will run under the context of the user account it is run, so if it's a web upload script, this will be the nobody user (ModSecurity) and won't have privileges to do much. FTP and manual scans run under root, so should not be an issue.
freeman
Junior Member
Posts: 35
Joined: 11 Dec 2006, 01:00

Post by freeman »

chirpy wrote:We're going to look at providing an external script hook that cxs can call when it identifies a suspicious file. You can then code whatever actions you want in that external script. Bear in mind that the script will run under the context of the user account it is run, so if it's a web upload script, this will be the nobody user (ModSecurity) and won't have privileges to do much. FTP and manual scans run under root, so should not be an issue.
Thanks for this great option but a question. How can I use a variable in my script with the line /scripts/suspendacct <username> to get the account name in my script.

I just wanted to tel you that I tried $1 $2 $3 $4 (4 is empty * file has option --all). That I wrote a small script I tested and it is ok. Maybe somebody else will use my script or maybe your suggest more simple:


#!/bin/sh
USR=`echo $1 | cut -d'/' -f3` #I am taking username from file line
if [ -e /var/cpanel/suspended/${USR} ] ; then
mail -s "Account ${USR} is already suspended!" root
else
/scripts/suspendacct ${USR}
mail -s "Account ${USR} was suspended because of [$3] !" root
fi


regards,
George B.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

Thank you for posting your example, it shows what you can do with the feature nicely.
Post Reply