-
-
Notifications
You must be signed in to change notification settings - Fork 0
paranoya integration (experimental)
As an additional security measure you might want to scan uploaded files for malware.
Uploader will use paranoya IOC and YARA scanner if present.
This will however extend the file upload time, especially for bigger files, apart from the fact that such scanning may be considered as an overkill.
This solution is experimental and may in itself introduce DoS vulnerability on higher load.
- PHP module:
sockets
- Temporary upload directory (upload_tmp_dir, usually /tmp) must be shared between PHP and paranoya
- paranoya scan enabled in config.php (
"paranoya" => true
)
- Significant hardware resources for higher amounts of uploaded files
- Rate limiting / DoS prevention
- Strict nginx configuration
In this setup it's important to share /tmp between php-fpm and paranoya containers so paranoya could scan files temporarily saved by PHP.
git clone https://github.com/c0m4r/up.git
cd up
git clone https://github.com/c0m4r/paranoya
mv .docker/docker-compose-with-paranoya.yml docker-compose.yml
chown 82:82 i logs -R
wget https://getcomposer.org/download/2.6.6/composer.phar
echo "72600201c73c7c4b218f1c0511b36d8537963e36aafa244757f52309f885b314 composer.phar" | sha256sum -c || rm composer.phar
Before running docker compose, edit config.php
and change these options respectively:
"allowed_hosts" => '127.0.0.1:8080,localhost,localhost:8080',
"ssl" => false,
"paranoya" => true,
"paranoya_host" => 'paranoya',
Now you can start docker compose:
docker compose up -d
docker compose exec php-fpm /bin/sh -c "cd /usr/share/nginx/html && php composer.phar update"
Because we want to protect against webshells it's a good idea to supplement the rules with additional ones. I found php-malware-finder rules working quite well. They work a bit excessive while scanning other files, causing a lot of false positives, but because we want to block any php webshells mimicing image files, this could turned out to be an advantage. Still, I had to filter out some rules causing false positives and interfering with signature-base.
php-malware-finder yara rules for paranoya
cd paranoya
curl -Ls \
https://raw.githubusercontent.com/jvoisin/php-malware-finder/aca14bfc3b2fa40a470a4f0fd8dcc1e0856f9c1c/data/php.yar \
| grep -vE '(powershell|safemode_bypass|\$comment)' \
| sed 's/global private/private/g;' \
| sed 's/include "whitelist.yar"//g;' \
| sed 's/ and not IsWhitelisted//g;' \
| sed 's/^{/{\n meta:\n description = "php-malware-finder"\n author = "jvoisin"\n reference = "https\:\/\/github\.com\/jvoisin\/php-malware-finder"\n/g;' > signature-base/yara/php-malware-finder.yar
paranoya scan will be invoked before the file is about to be saved.
If paranoya detects anything suspicious, the file will not be saved and an error message will appear:
Detected malware scanns are being logged into logs/malware.log
This will not prevent targeted malwares of course, but should be enough for bots and script kiddies.