How to install SiteWALL Webshell agent on your webserver.

How to install SiteWALL Webshell agent on your webserver.

What is Webshell?
A Webshell is a malicious script used by attackers to gain remote access and control over a compromised web server. Typically written in web scripting languages such as PHP, ASP, or Perl, Webshells are uploaded to a web-accessible directory on a server, often through vulnerabilities in web applications or poor configuration.

What is SiteWALL Webshell detection agent?
The Webshell agent detects webshells, preventing backdoors and malware.

Why do you need to install SiteWALL Webshell agent? 
Webshell can be dropped by hacker on your webserver either from Internet or Intranet. Webshell can accidentally be uploaded by the developer along with the new code. Webshell agent when install will monitor and detect Webshells as and when they are uploaded on your webserver..
 
How to enable Webshell Detection in SiteWALL WAF?
 
Enabling Webshell Detection in SiteWALL is a 2 step process.
Step 1) Webshell Configuration
Step 2) Installation of the SiteWALL Webshell agent.

Step 1 Webshell Configuration.


1. Login https://admin.sitewall.net (SiteWALL Management portal) :


2. In Side menubar >> Click on Settings >> Applications and then edit the applications for which you want to enable the Webshell.


3. In Edit Application >> click to Security Modules. 


4. Toggle the Webshell switch to ON for enabling Webshell. Set the notification group as required. Enter your website folder path in "Website Server Path" field for your webserver (e.g. /public_html/<your_website_name_path>) and Click on Finish to complete the configuration.





Step 2 Installation of SiteWALL Webshell agent. 

SiteWALL provides separate package for Windows and Linux for Webshell agent. You can download the respective package from SiteWALL Management Portal by Login to https://admin.sitewall.net and clicking on Resources Tab on the left top Menu. 




A] Installation of Webshell agent on Linux Server.
  1. Access home directory on your webserver using command : cd /home

  2. Copy the downloaded package to this directory.

  3. Extract the package file by running the following command as root user.

               unzip ws-linux.zip

     

            4. Set permission to the binary by using following command.

               chmod +x sitewallws


     
            
           5. Execute the following command to complete the installation. 

                 ./sitewallws -n

              

       
            Verify whether the script run successfully using below command:
            more sitewallbin-<date>.log
 
Note : "If your web server's IP address is not globally used for communication, you will receive the following message in the output. You must email the IP address mentioned in your logs to support@pagentra.com."



The below log indicates stage one completed. command to view the log file : more sitewallbin-<date>.log.



The above log indicates stage one completed.
           6. Setup daily cron to run the agent to update in the night between 12 AM to Noon. Edit your crontab by executing the below command
                  vim /etc/crontab


            7. Add the following line in the crontab. 

               0 1 * * * root cd /sitewall && ./sitewallws -u >> cronlogs-sitewallws.txt 2>&1


        



     Verify whether the cron run successfully using below command:
            more sitewallbin-<date>.log


The above log indicates stage 2 and 3 are completed.


B] Installation of Webshell agent on Windows Server


  1. Create a directory on your webserver in C: drive as sitewall .

  2. Copy the downloaded file to the C: Directory.


            3. Extract the file.

            4. Save the content of the file inside a directory on the server:/sitewall





Below three files will be extracted from the Zip:



      5. Run Command Prompt as Administrator.






      6.  Go to C:/sitewall directory.



      7.  Install the agent by executing the command sitewallws.exe 1





Note : "If your web server's IP address is not globally used for communication, you will receive the following message in the output. You must email the IP address mentioned in your logs to support@pagentra.com."



            7. Setup daily tasks to run the agent to update in the night between 12 AM to Noon.  Go to Server Manager >> Click on Task Scheduler.

a. Go to Server Manager >> Tools >> Task Scheduler


      8. Click on "Create Task" 



      9. In Create Task >> On General tab.
      a. Enter a Name for your Task : SiteWALL Webshell Task.
      b. Select 'Run whether the user is logged in or not'.
      c. Select configure for "Select your current webserver" as shown below. ( In this case: Windows Server 2012 R2).



      10. Click on trigger tab and click on New:



            a. Select 'Begin the task' as On a schedule.
            b. On Setting select "Daily" radio button
            c. Select start date: as current day date.
            d.  Select time as : 01:00:00 AM.
            e. Recur every: 1 days.
            f. Click on "Enabled" button and click on Ok.



      11. Click on Action Tab and then Click on "New":


      12. Set the "Action" as "Start a Program".
          a.  Type "cmd" in Program/script.
          b.  Set Add arguments as:   /c ""C:\sitewall\sitewallws.exe" 2 >> "C:\sitewall\debuglog.txt" 2>&1"
          c.  Set Start in as C:\sitewall\.
          d.  Click on Ok.




      13. Click on the Condition Tab.
       De-select all options.




     14. Click on Setting:
      a. Click on "Allow task to run on demand".
      b. Click on "Stop the task if it runs longer than. Select 1 hour".
      c. Click on "If the running task does not end when requested, force it to stop".
      d. Select from dropdown "Do not start a new instance".
      e. Click on OK.

 


      14. The scheduled task will be visible as shown below:




9. When the scheduled task will run, the a log will generate is shown as below:



10. You can find the log file named : debuglog in path : C:\sitewall on your webserver.