Well, shared hosting really sucks! Not for the user, you can get hosting pretty cheap these days with a lot of features. For the people that administer the server, it’s something really different. I’m the webserver admin at ULYSSIS, we are a group of crazy students that administer a bunch of servers to offer really cheap hosting to all people related to the university.
Our cheapest account gets you hosting for â‚¬7,5 a year. You’ll get 200mb quota, 1 mysql/postgresql db, vhosts, a shell account, 1 mailbox but unlimited forwarders for other email addresses. Svn repositorie(s) that aren’t included in the quota. We have between 300 and 400 accounts. Running a secure webserver for these accounts sucks!
The break-in through a lame php script I wrote about two days ago was on that webserver. I’ve been putting a lot of work in securing the server to make sure that the threath of a poorly written script is reduced to it’s bare minimum. I already wrote about this patch, It’s replaced now by the filter functionality of hardened php and this patch for the mail function. Because there was an error in the mailfunction config (wrong sendmail parameters) mails from five days got bounced to the www-data user. I wrote a script to extract the original messages and sent them anyway.
Looking throug those bounced mails with grep on stuff like ‘enlarge your’, ‘blue pills’ and other keywords you probably know really wel, allowed me to find a forum that they renamed to /forum_old and placed their new on at /forum. It was a phpBB2 install that hadn’t been used for 3 years and was hacked in 2004. It generated a few dozen spam-mails to it’s old users every day. This isn’t just bad for the name of your website (it was a student organisation), it’s also a security threat for the webserver and for the all users.
So I got an idea. Because the number of users and especially the number of vhosts (everyone needs to have at least two domains to be cool these days (;), I started working on migrating all vhosts to a setup that gets it’s vhosts from ldap with mod-vhost-ldap. This got me thinking about a filter for postfix that checks the X-PHP-Script header and searches the user and it’s vhosts in ldap and check it for by piping it through spamassassin. Storing these results in a database should allow me to generate nice reports every day who is sending spam from it’s vhost and identifying the buggy webforms.
If anyone knows about such a filter for postfix or any other mta, please let me know. It really doesn’t need to have the ldap- backend. It it can generate stats on a vhost basis, that’s already more then fine and should be good starting point.