SteKs Posted January 6, 2013 Report Share Posted January 6, 2013 There should be a tool in CPanel that can fingerprint all files/dirs - after an hack attack then it would be easy to have changed/missing files listed by the click on a button. It would help enormously restoring the website. A file backup is only useful when you have an complete and authentic backup of all files! Should be a standard tool included in CPanel by default good idea? Garry 1 Quote Link to comment Share on other sites More sharing options...
tekiegreg Posted January 7, 2013 Report Share Posted January 7, 2013 Not a bad idea...but where would you store the fingerprint, on the already hacked server? Hmmm everything looks ok here... You could also do it yourself to some extent, take a SHA-1 Hash of everything going up. This is actually more ideal now that I think of it, because if the server is hacked, in theory CPanel and whatever was storing the SHA-1 could be compromised too... EDIT: Also any fast moving/dynamic content (database stuff, etc.) will be a pain in the butt to fingerprint all the time... There should be a tool in CPanel that can fingerprint all files/dirs - after an hack attack then it would be easy to have changed/missing files listed by the click on a button. It would help enormously restoring the website. A file backup is only useful when you have an complete and authentic backup of all files! Should be a standard tool included in CPanel by default good idea? Quote Link to comment Share on other sites More sharing options...
Brian Posted January 7, 2013 Report Share Posted January 7, 2013 Not a bad idea...but where would you store the fingerprint, on the already hacked server? Hmmm everything looks ok here... Just want to address this before anything else, in the case of cPanel/shared servers, at least with us, it is never the server being compromised but just a specific user account. So in that respect it could be technically possible to store the fingerprint in a directory not effected by an account level compromise. That said... What we're discussing here is essentially an IDS, or intrusion detection system (Tripwire, OSSEC, etc). You scan your server/files/whatever you want, establish your fingerprint and then scan again at a set interval and look for files changes. Now the problem with doing this is a properly done IDS is resource intensive, and would add so much overhead to a shared server it simply wouldn't be possible to do on a grand scale. This is an oversimplification of course, but enough to get the general idea. I love the thought and would love to be able to offer something like this but the resources just aren't there to do this effectively for shared users. Quote Link to comment Share on other sites More sharing options...
SteKs Posted January 7, 2013 Author Report Share Posted January 7, 2013 The fingerprint tool can be *manual* hence the site owner has to do it from time to time - not a monitor service hence not resource intensive. ..the current situation is unsatisfactorily as you don't always know when an account/files have been tampered with .. it's not always obvious hence your data backups are rubbish from this point on. I had a massive break in back in July and only noticed 2 month later something was wrong. All the backups have been worthless from this time on. Hawkhost could be a trendsetter by providing such a simple but powerful tool Quote Link to comment Share on other sites More sharing options...
tekiegreg Posted January 7, 2013 Report Share Posted January 7, 2013 Well when you were broken into, you should have asked Hawkhost to "reset" you (I've never asked but I'm sure they could put you back to fresh from the factory configuration), then restored a backup that occurred prior to break-in. Trying to recover piecemeal is a lousy idea in any circumstance granted even with fingerprints you might miss something. Also I don't know the depth of the tampering. While it isn't likely that the server's been compromised, you just never know. Store your own fingerprints if you were to use such a tool and don't rely on server stored fingerprints. The fingerprint tool can be *manual* hence the site owner has to do it from time to time - not a monitor service hence not resource intensive. ..the current situation is unsatisfactorily as you don't always know when an account/files have been tampered with .. it's not always obvious hence your data backups are rubbish from this point on. I had a massive break in back in July and only noticed 2 month later something was wrong. All the backups have been worthless from this time on. Hawkhost could be a trendsetter by providing such a simple but powerful tool Quote Link to comment Share on other sites More sharing options...
SteKs Posted January 7, 2013 Author Report Share Posted January 7, 2013 I am just providing a smart idea how to improve the service - you don't need to lecture me what I can do .. this is not the point of this thread! This is a fairly simple and basic request some host will pick up if not Hawkhost Quote Link to comment Share on other sites More sharing options...
tekiegreg Posted January 7, 2013 Report Share Posted January 7, 2013 To quote Inigo Montoya "I do not think it is as easy as you think it is as easy as" :-/ Edit to Add: Hey if you think it's easy, create it yourself, I betcha this has good commercial potential if it can be pulled off right. I am just providing a smart idea how to improve the service - you don't need to lecture me what I can do .. this is not the point of this thread! This is a fairly simple and basic request some host will pick up if not Hawkhost Quote Link to comment Share on other sites More sharing options...
SteKs Posted January 7, 2013 Author Report Share Posted January 7, 2013 Well, for Wordpress such a plugin already exist and is working nicely without breaking resources - sending you even an alert when a file got altered! Should require very little brain to apply such a concept to other directory(ies) Edit: I am no coder but sure such tools are already there - just need to be put in cPanel Quote Link to comment Share on other sites More sharing options...
Cody R. Posted January 8, 2013 Report Share Posted January 8, 2013 The fingerprint tool can be *manual* hence the site owner has to do it from time to time - not a monitor service hence not resource intensive. ..the current situation is unsatisfactorily as you don't always know when an account/files have been tampered with .. it's not always obvious hence your data backups are rubbish from this point on. I had a massive break in back in July and only noticed 2 month later something was wrong. All the backups have been worthless from this time on. Hawkhost could be a trendsetter by providing such a simple but powerful tool Brian pretty much hit the nail on the head with this. It still has *huge* potential to be resource intensive regardless if it's automatic or manual. In addition to this it's remarkably tedious to configure an IDS solution to take into account all of the dynamic files that get created and modified constantly - it would be a manual process for the user to add "whitelist" paths (cache folders, upload folders, temporary folders, etc). Another problem is the time needed to invest into making a good solution isn't economical as the amount of users who would be able to use it to its full potential would be remarkably low. It would also increase the work load on our end as explaining all gotchas (large amount of files, false positives (which there will be plenty)) and so forth really can't be overlooked. We're talking about a relatively large customer base. That being said it certainly could be done in a nice integrated manner and controlled a way - especially with the newer CloudLinux that supports IO limits. Ultimately at this time it's simply not economical for us to invest time into a feature like this - we rather look into something that a large majority of our users can utilize and not a small subset. However this may be an interesting feature for our semi-dedicated plans as there is far more wiggle room when it comes to resources. Great idea's and feedback - we really appreciate it . Quote Link to comment Share on other sites More sharing options...
norEastern Posted January 8, 2013 Report Share Posted January 8, 2013 Not sure if original poster SteKs knows that there is a Cpanel forum and that would be a great place to post his idea to get visibility as a possible Cpanel feature of the future. That forum includes a Feature Request area. http://forums.cpanel.net/ Quote Link to comment Share on other sites More sharing options...
SteKs Posted January 8, 2013 Author Report Share Posted January 8, 2013 Yep, I know there is a forum - might be a bright idea to post there but it does not mean hosts would install that feature in a shared environment, as mentioned above, hence won't help the crowd but only a few. . Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.