linuxscooter 0 Posted June 28, 2018 Share Posted June 28, 2018 Hi Folks, I have an interesting situation where we have Ubuntu 14.04 and 16.04 servers we need to protect for pen testers checking our product. I eventually got real time protection working on both distros using global preload of the pac library ie: root@p24-d-wpress-102:/home# cat /etc/ld.so.preload /opt/eset/esets/lib/libesets_pac.so This works on our 64bit systems after installing the 32bit libraries on Ubuntu. This, combined with protecting certain folders in /etc/opt/eset/esets/esets.cfg. If I attempt to wget, SFTP or SCP an eicar test file or similar it is automatically removed which is great. Interestingly rsync does not block the file and I currently suspect this is due to rsync using a streaming copy and not a linear copy, and thus size of the test file might be altered (apparently should be exactly 68 bytes). I protect the folders in the [pac] section of the file eg: ------------- event_mask = "open:create:exec" # ctl_incl = "directory" # Colon separated list of directories to scan files in. ctl_incl = "/home:/var/www:/tmp" ----------- This combined with global preload works. However we run a wordpress stack. I setup two test boxes with stock standard latest wordpress ie. 14.04 and 16.04. 14.04 did not block the test file when attempting to upload via Wordpress media library. 16.04 did block. After speaking to ESET support they suggested upgrading the version of PHP we use on Ubuntu 14.04 as quite rightly this is the code that would handle file uploads. I did so and it worked. Yay! These are our test boxes though. Our production boxes all run 14.04, have the exact same ESET setups and for some reason allow the file(s) to be uploaded in wordpress. It seems the PHP version is virtually exactly the same. The configs are the same as the test boxes. My immediate reaction was to perhaps blame us using a customised WP stack but it seems to be fairly standard in terms of media uploads. The fact that both boxes block SCP / SFTP etc leads me to believe global preload is working as expected, however perhaps there is something needed on the wordpress side I have missed? I could try the dac or dazuko kernel module but it hasn't been maintained since 2011 it seems. Many thanks in advance for any suggestions / help and advice C Link to comment Share on other sites More sharing options...
Recommended Posts