Pyxsoft User Guide

Installation

Pyxsoft2 can be installed in many operating systems and control panels.

Please select  your OS version and/or control panel to read the specific instructions.

 

Operating SystemControl PanelCompatibilityInstallation
CentOS 6,7cPanelCompatibleDetails
CloudLinux 6,7cPanelCompatibleDetails
CentOS 7VirtualminCompatibleDetails

Yes No
1 of 1 users found this section helpful

Install on cPanel

To install on cPanel please follow the next instructions:

Requirements

  • cPanel installed
  • CentOS, CloudLinux, RHEL or AmazonLinux version 6 or 7

Automatic Installation

Execute the next command and it will perform an automatic installation of Pyxsoft 2

$ curl -s https://www.pyxsoft.com/install-cpanel | bash

Log into your WHM panel and click at to  Pyxsoft Anti Hackers link in the main menu.

If you encounter problems connecting to the Pyxsoft Interface, please see:

http://www.pyxsoft.com/portal/pyxsoft-documentation/#cannot-connect-to-pyxsoft-interface

Enjoy!

Manual Installation

1. Install the pyxsoft repository

CentOS, CloudLinux, RHEL or AmazonLinux version 7.x:
# curl -s https://packagecloud.io/install/repositories/pyxsoft/stable/script.rpm.sh | sudo os=el dist=7 bash
CentOS, CloudLinux, RHEL or AmazonLinux version 6.x:
# curl -s https://packagecloud.io/install/repositories/pyxsoft/stable/script.rpm.sh | sudo os=el dist=6 bash

2. Install

# yum install pyxsoft-cpanel

3. Start services and perform post installation tasks

$ /opt/pyxsoft/post-install

4. Visit the Pyxsoft Interface

Log into your WHM panel and click at to  Pyxsoft Anti Hackers link in the main menu.

If you encounter problems connecting to the Pyxsoft Interface, please see:

http://www.pyxsoft.com/portal/pyxsoft-documentation/#cannot-connect-to-pyxsoft-interface

 

Enjoy!

Yes No
8 of 9 users found this section helpful

Installation on Virtualmin

Pyxsoft Anti Hackers can be installed on Virtualmin following the next instructions:

Requirements

  • Virtualmin installed
  • CentOS

Currently we are working to make pyxsoft compatible with Debian, Ubuntu and CentOS 6 based Virtualmin installations. Installations on those OS are not tested yet.

1. Install the pyxsoft repository

CentOS version 7.x:
# curl -s https://packagecloud.io/install/repositories/pyxsoft/stable/script.rpm.sh | sudo os=el dist=7 bash

2. Verify if mod security is installed on the system

Execute the next command:

# httpd -t -D DUMP_RUN_CFG | grep ‘MODSEC’
Define: MODSEC_2.5
Define: MODSEC_2.9

if the response includes the text Define: MODSEC_X.X, it means that mod security is already installed on your system and you can jump to the next step.

If mod security is not installed (the most common case), you have to install it:

yum install mod_security

After the installation, test again:

# httpd -t -D DUMP_RUN_CFG | grep ‘MODSEC’
Define: MODSEC_2.5
Define: MODSEC_2.9

Mod Security 2.9 was installed on the server successfully

3. Install Pyxsoft

# yum install pyxsoft-virtualmin

4. Start the services

# /opt/pyxsoft/post-install

5. Generate your password

# /opt/pyxsoft/pxgenpass

Copy your password in a safe place. You can generate new paswords with this procedure in the future.

7. Login

Visit http://your-server-ip:2930

Username: pyxsoftadmin

If you encounter problems connecting to the Pyxsoft Interface, please see:

http://www.pyxsoft.com/portal/pyxsoft-documentation/#cannot-connect-to-pyxsoft-interface

Enjoy!

Yes No
0 of 0 users found this section helpful

Features

Yes No
0 of 0 users found this section helpful

CPU usage control

Pyxsoft is the only product that allow you to control the cpu usage for the scanner.

The scanner CPU usage can be fine controlled in the Settings > Scanner Settings

Two settings are used to control the cpu usage:

– Maximum CPU usage
– Number of cores enabled for scanner

The Number of cores enabled for scanner controls how many CPU cores will be used when the scanner run. More CPU cores provides faster scans. Each core processes a different file at the same time. The default value is the same number of CPU cores that the system has, with a maximum of 4. Our tests reveal that more than 4 cores do not provide significant benefits.

The Maximum CPU usage is a very important setting to control how many cpu the sanner use.

Scan Experiment

System used:

– Elementary Linux “Loki” 64 bits
– CPU: Intel(R) Core(TM) i7-4702MQ CPU @ 2.20GHz
– CPU Cores: 8
– RAM: 16 GB
– Number of cores enabled for scanner: 4

Scaned data: WordPress 5.0.2, 1735 files.

Results

Maximum CPU usage: Normal
CPU Cores: 4
Time to scan: 2m04s
CPU Usage: 400% aprox (50% of total cpu power)

Our system has 8 cpu cores. The total cpu power is 800%. The scan process used 400% of the cpu power. If the system had only 4 cores, it would have been overloaded.

Maximum CPU usage: Medium
Time to scan: 5m43s
CPU Cores: 4
CPU Usage: 300% aprox. (37.5% of total cpu power)

Maximum CPU usage: Low
Time to scan: 8m18s
CPU Cores: 4
CPU Usage: 220% aprox. (27.5% of total cpu power)


 

Yes No
0 of 0 users found this section helpful

Deinstallation Instructions

 

cPanel

Uninstallation:

1
yum remove pyxsoft-cpanel pyxsoft-modsechelpers pyxsoft-service pyxsoftui pxscand pxscand-service

Stop services:

1
2
pkill pyxsoftUI
pkill pxscand

Yes No
3 of 3 users found this section helpful

Instant Protection

Here you can find many of the Pyxsoft  protection capabilities.

Yes No
0 of 0 users found this section helpful

Multipart Strict Error

Users upload data. No matter what web application they are using, most of them needs data to be uploaded. Normally users upload images, text files, documents, pdf and more.

To upload a file, web browsers send to the server a request known as “Multipart Form”. Multipart form have a specific format defined in RFC 2388 and in RFC 7578.

Hand made malicious requests can be done in order to bypass the security provided by the webserver and/or PHP validator.

Some specific malicious requests could allow to upload hidden files like web shells or spam senders.

The next are the codes that you can find in Pyxsoft GUI blocking the uploads:

Code Meaning Description
PE Request Body Processor Error
BQ Boundary Quoted
BW Boundary Whitespace
DB Data Before We have seen this flag when attackers include hidden files in uploads.
DA Data After
HF Header Folding
LF LF Line
SM Missing Semicolon
IQ Invalid Quoting Triggered when uploaded files have an aphostrophe (‘).
If you expect this kind of file names IQ can be disabled as a blocking test in Pyxsoft Settings.
IF Invalid Header Folding
FE File Limit Exceeded

Each test can be enabled or disabled as a blocking test in Pyxsoft Settings.

We recommend all tests enabled and if necessary, you can disable IQ test.

Yes No
0 of 0 users found this section helpful

Joomla JCE (CVE-2012-2902)

Unrestricted file upload vulnerability in editor/extensions/browser/file.php in the Joomla Content Editor (JCE) component before 2.1 for Joomla!, when chunking is set to greater than zero, allows remote authors to execute arbitrary PHP code by uploading a PHP file with a double extension.

Registered as CVE-2012-2902

Pyxsoft solution

Multiple exploits combine the JCE vulnerability with Multipart modifications in order to upload invisible files bypassing the Mod Security and the PHP multipart parsers.

We created a complex solution that interecepts the attempts to exploit this vulnerabilities, recognize them and block.

Pyxsoft users are safe from CVE-2012-2902 even with vulnerable versions of Joomla! installed on server.


Yes No
0 of 0 users found this section helpful

Troubleshooting

Here you can find common problems and how to solve them.

Yes No
0 of 0 users found this section helpful

Low inotify watches

OpenVZ/Virtuozzo users:  You cannot modify the inotify watches. Please ask your service provider to modify it at the node level. If The server provider does not modify the settings, please disable Instant Watch in your Pyxsoft Interface.

The Instant Scan depends on the inotify watches system, provided by the Linux Kernel.

Every Linux installation has a specific amount of inotify watches set by default.

If you want to know how many inotify watches your system has, execute the next command:

# cat /proc/sys/fs/inotify/max_user_watches

You will need one inotify watch per watched directory. Thus, the more directories on the server, the greater the amount of things that will be needed.

You can increase the number of inotify watches performing the next procedure:

CentOS/RHEL/CloudLinux/Debian/Ubuntu:
NV=999999; sudo sed -ni -e '/^fs.inotify.max_user_watches=/!p' -e "\$afs.inotify.max_user_watches=${NV}" /etc/sysctl.conf; sudo sysctl -p

Increase the number 999999 as your needings.

And finally, restart the pyxsoft service. We provide an OS agnosic script:

/opt/pyxsoft/servicectl restart pyxsoft

Yes No
0 of 0 users found this section helpful

Cannot connect to Pyxsoft Interface

Try connecting to your Pyxsoft interface using your web browser and connecting to <ip>:2930

If you don’t see the Pyxsoft panel, follow the next steps to resolve it:

1. Ensure that pyxsoft and pxscand services are running

Executing the next command, you will see what pyxsoft services are running. The answer must include pxscand and pyxsoftUI

$ ps aux | grep -v grep | grep 'pyxsoft'
root 18147 45.5 0.5 908228 182748 ? Ssl 01:25 82:06 /opt/pyxsoft/pxscand
root 19007 3.5 0.5 1358360 192284 ? Ssl 04:10 0:32 /opt/pyxsoft/pyxsoftUI

If the command result is like the example above, the services are running.

If the serivces are not running you can start them with the next commands:

$ sudo /opt/pyxsoft/servicectl start pxscand
$ sudo /opt/pyxsoft/servicectl start pyxsoft

2. Open port 2930 in your firewall

There are many software-based firewalls. Here we will see the most common.

If the file /etc/csf/csf.conf does not exist in your system, it means that csf/lfd firewal is not installed and you should continue with the step 3

CSF/LFD

cPanel:

If you are using cPanel, go to WHM > Configserver Security & Firewall > Firewall Configuration and add port 2930 in TCP_IN.

Then press “Change” and restart Firewall.

Command Line:

Edit the file /etc/csf/csf.conf and add port 2930 in TCP_IN line. Save the changes.

Restart  firewall:

csf -r

3. Open port 2930 in iptables

Iptables is a default firewall installed on many Linux distributions. To open the port 2930 execute the next command:

CentOS 6/CloudLinux 6/RHEL 6:
iptables -I INPUT -p tcp -m tcp --dport 2930 -j ACCEPT
service iptables save
CentOS 7/CloudLinux 7/RHEL 7:
firewall-cmd --zone=public --add-port=2930/tcp --permanent
firewall-cmd --reload

Yes No
0 of 0 users found this section helpful

Pxscand high CPU usage

Probably you are concerned with the pxscand high CPU usage when there is no current scan in progress.
cPanel process manager uses ps to calculate CPU usage and it is based on statistics since the program started. The results can be easily misinterpreted.

If you want to monitor the real CPU usage by pxscand and its sub-threads, run the next command in terminal:

top -H -p `pgrep pxscand`

And you will see the real CPU usage:

Threads: 12 total, 0 running, 12 sleeping, 0 stopped, 0 zombie
%Cpu(s): 22.5 us, 2.2 sy, 3.1 ni, 72.0 id, 0.1 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 16356060 total, 8801860 free, 4289536 used, 3264664 buff/cache
KiB Swap: 16707580 total, 16707576 free, 4 used. 11156176 avail Mem

PID  USER PR NI VIRT  RES    SHR  S %CPU %MEM TIME+ COMMAND
3857 root 20 0 676972 130272 4564 S 0.0 0.8 2:53.30 pxscand
3858 root 20 0 676972 130272 4564 S 0.0 0.8 0:00.62 pxscand
3859 root 20 0 676972 130272 4564 S 0.0 0.8 0:01.14 pxscand
3860 root 20 0 676972 130272 4564 S 0.0 0.8 2:58.07 pxscand
3861 root 20 0 676972 130272 4564 S 0.0 0.8 0:00.00 pxscand
3862 root 20 0 676972 130272 4564 S 0.0 0.8 0:00.00 pxscand
3863 root 20 0 676972 130272 4564 S 0.0 0.8 0:00.00 pxscand
3864 root 20 0 676972 130272 4564 S 0.0 0.8 0:00.00 pxscand
3865 root 20 0 676972 130272 4564 S 0.0 0.8 3:45.59 pxscand
3866 root 20 0 676972 130272 4564 S 0.0 0.8 2:54.26 pxscand
3867 root 20 0 676972 130272 4564 S 0.0 0.8 0:00.00 pxscand
3868 root 20 0 676972 130272 4564 S 0.0 0.8 0:00.00 pxscand

 

References:

https://unix.stackexchange.com/questions/58539/top-and-ps-not-showing-the-same-cpu-result

Yes No
1 of 1 users found this section helpful