I recently had someone launch an attack from my server, by getting some nasty perl scripts in the /tmp directory. I couldn't find any evidence of ssh or ftp access so I'm assumming that the vulnerability is from one or more of my hosting clients using scripts that don't check form input data and strip html tags, etc.

My question is, how is it possible to have a secure server when you cannot control the quality of scripting that clients use? Going through everyone's code everyday to make sure they are crossing their t's and dotting their i's so to speak, is impossible.

Surely others have been running into this problem as more and more inexperienced coders are writing more and more script. It really stinks when one user's bad coding practices take the whole server down. Advice is much appreciated!

You don't have the CPanel demo mode enabled, do you? I had this same problem and discovered that they were getting in via demo mode.

The first and biggest thing I would suggest is mod_security. Beyond that you could look at a firewall that does egress filtering or hardening the system so tools like wget are not accessible by nobody. I have a fair amount of information listed on my website that you probably want to take a look at.

The mod_security install only takes a few minutes and stops most of the bad stuff from getting into /tmp. If I had to take a guess the server was exploited by a phpbb which never really seems to be safe.

/scripts/securetmp will make the tmp directory noexec
And yes having a firewall like APF would help close down those unneeded ports

Noexec is nice but does not stop against any of the perl scripts.

Egress filtering is the important part, ingress filtering is a good part of the security model but egress can stop an attack from leaving the server if you are compromised.

Thanks a million for the great advice!