How do I configure cxs to scan and quarantine suspicious files uploaded through php and cgi scripts using mod_security?

You should be comfortable logging into ssh as root and running Linux commands to follow these instructions.

1. First ensure that mod_security is installed and enabled on your server.

2. Create your quarantine directory if you have not already done so. For example, create a directory called /home/quarantine/. Make sure to chmod it 1777.

mkdir /home/quarantine/
chmod 1777 /home/quarantine/

Note that your quarantine directory must be in a location with world write access. So for example, do not put it in a location that only root can read, like the /root/ directory. You could put it somewhere in /var/ or /usr/, if you don't want it in /home/.

3. Edit the file /usr/local/apache/conf/modsec2.user.conf and add the following two lines (at the top is fine):

SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
	"log,auditlog,deny,severity:2,id:'1010101'

(Note: The backslash (\) allows you to split a long command line onto two lines.)

4. Restart Apache and check for errors:

/scripts/restartsrv_httpd
tail -f /usr/local/apache/logs/error_log

5. Edit the file /etc/cxs/cxscgi.sh and modify the command line to suit your requirements. For example, to use the default cxs scan options and quarantine any suspicious files, if your quarantine directory is in /home/quarantine/, your command line in cxscgi.sh might look like this:

/usr/sbin/cxs --quiet --cgi --mail root \
     --quarantine /home/quarantine/ "$1"

(Note: The backslash (\) allows you to split a long command line onto two lines.)

If you want to only quarantine uploads that match specific scan options you can add --qoptions. If you add --qoptions, any file that matches any of the options you do NOT include in --qoptions but IS included in --options or the default options will trigger an alert email but will not be quarantined.

For example, this command line would quarantine fingerprint matches and viruses (these are the least likely to include false positives):

/usr/sbin/cxs --quiet --cgi --qoptions Mv --mail root \
     --quarantine /home/quarantine/ "$1"

Make sure that the email address set up as the root forwarder is a working and monitored email address, so you will receive the cxs alert emails.

Make sure that you have only one uncommented cxs command line in your cxscgi.sh file.

  • 90 Users Found This Useful
Was this answer helpful?

Related Articles

How do I set up logging for cxs ftp and web script upload scanning?

1. Create a log file, for example /var/log/cxs.log, and chmod it 666. 2. Edit the files...

How do I test whether cxs upload scanning is working correctly?

You will need a cPanel account with a domain you can browse to, to use for testing. Set up cxs...

How do I configure cxs to scan and quarantine suspicious files on ftp upload?

You should be comfortable logging into ssh as root and running Linux commands to follow these...

CXS does not seem to be detecting files uploaded via web scripts. What should I check to find out why it's not working?

1. Check that the alert emails are being sent and received. If you have --mail root in your...

How can i install CXS on my server?

To install cxs on using the Installer Script you must first register your server with us by...