Some interesting features for the next versions

Hi, I’ve been using Hestia for a month now and I think this project will go a long way.
But some time ago I saw another interesting project called MyVesta that implements some security features that would be interesting to incorporate into Hestia if they haven’t been incorporated yet. I’ll detail the ones that for me have been the most interesting:

  • You can limit the maximum number of sent emails (per hour) per mail account and per hosting account, preventing hijacking of email accounts and preventing PHP malware scripts to send spam.

  • You can completely “lock” myVesta so it can be accessed only via secret URL, for example https://serverhost:8083/?MY-SECRET-URL

  • We disabled dangerous PHP functions in php.ini, so even if, for example, your customer’s CMS gets compromised, hacker will not be able to execute shell scripts from within PHP

  • ClamAV is configured to block zip/rar/7z archives that contains executable files (just like GMail)

Greetings!

2 Likes

Hi @mistertek

We’ve a hard configured limit for sending emails in hestia, but I’ll ask dpeca for his implementation :slight_smile:.

I know about the lock function, it is currently not planed to implement it.

Can you share the limited php functions? So we can probaly implement it in hestia as well.

We also know about the implenentation to block of zip and other archives types, we were currently mid in discussion but havent made a decission yet.

Just to say: We got a direct contact with @depca, the creator of myvestacp, he is even in our hestia group chat :smiley:.

Great, so if you have contact with the developer of MyVesta, you can ask him what are the most compromising functions of PHP and other important security implementations, plus it would be great if you join forces to work the two communities on the same project. In myvesta’s github comes a line that I think are the disabling functions and I put them here for you to value disabling them too.

+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,system,passthru,shell_exec,proc_open,popen

From a HestiaCP 1.2.0-RC server:

root@vm05:~# fgrep -r disable_functions /etc/php/*
/etc/php/7.3/apache2/php.ini:disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
/etc/php/7.3/cli/php.ini:disable_functions =
/etc/php/7.3/fpm/php.ini:disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
root@vm05:~#

Strangely on HestiaCP it ends with a comma (",") …

So the difference between the PHP disabled functions of MyVesta and Hestia are the last 6 functions:
exec,system,passthru,shell_exec,proc_open,popen

@mistertek,

Thanks for the kind words and your feedback. Improvements to the mail stack are in the works and will be delivered over time with the next few major versions of Hestia. Blocking archives with executables is on the list alongside improvements to the webmail interface and better controls for configuring mail limits.

2 Likes