Results 1 to 12 of 12
  1. #1
    Join Date
    Oct 2004
    Posts
    627

    Cpanel+Apache 2.4, symlink protection from rack911?

    famous symlink issues on Centos for a long time, cpanel has good sum up here

    https://forums.cpanel.net/f185/solut...ml#post1397221

    Steve, do you have any patch for apache 2.4 and for ppl who do not use cloudlinux plus do not want to use cpanel's patch on easyapache?

    thanks!

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Nov 2006
    Location
    Pune, India
    Posts
    1,417
    LeapSwitch Networks Pvt. Ltd. - Managed VPS / Dedicated Servers India
    ASN 132335 - India - USA - Spain - Portugal - Ukraine - Germany
    █ Shared, Reseller, VPS, Dedicated Servers, Colocation
    Pay via - PayPal, Payza, Skrill, Credit/Debit Cards (USD / INR)

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by ishan View Post
    Better option = CloudLinux SecureLinks or cPanel's EasyApache patch ?
    Any of these options:

    Cloudlinux SecureLinks
    Cloudlinux CageFS
    Grsecurity Symlink Protection
    cPanel easyapache patch (really bluehosts)
    LitespeedTech (they are going to be releasing a new version with even better protection soon)
    Mod_ruid2

    However some have performance implications, such as the cpanel easyapache patch.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Join Date
    Oct 2004
    Posts
    627
    for our new server, we do use cloudlinux, but for old production servers, we usually avoid from rebooting server, therefore~

    Steven, I will email you

  6. #6
    Join Date
    Oct 2004
    Posts
    627
    Quote Originally Posted by ishan View Post
    Better option = CloudLinux SecureLinks or cPanel's EasyApache patch ?
    I believe Steven means cloudlinux's secure links

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by PeterPP View Post
    for our new server, we do use cloudlinux, but for old production servers, we usually avoid from rebooting server, therefore~

    Steven, I will email you
    You should probably reboot if you have a old kernel
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  8. #8
    Join Date
    Oct 2004
    Posts
    627
    Quote Originally Posted by Steven View Post
    You should probably reboot if you have a old kernel
    I wish so

    cPanel easyapache patch has performance impact, people will really appreciate if you have one like your good work on 2.2.X

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by PeterPP View Post
    I wish so

    cPanel easyapache patch has performance impact, people will really appreciate if you have one like your good work on 2.2.X
    If you are running an old kernel, you may be open to root exploit which is worse than this symlink issue.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Oct 2004
    Posts
    627
    we use ksplice to update kernel~

  11. #11
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    372
    Quote Originally Posted by Steven View Post
    Any of these options:

    Cloudlinux SecureLinks
    Cloudlinux CageFS
    Grsecurity Symlink Protection
    cPanel easyapache patch (really bluehosts)
    LitespeedTech (they are going to be releasing a new version with even better protection soon)
    Mod_ruid2

    However some have performance implications, such as the cpanel easyapache patch.
    There is also of course, the tpe-kmod work we did which brought over something like grsecurity's symlink protections. It was merged into tpe-kmod mainline, but probably only works on CentOS 6 (well any kernel with 2.6.32+).

    I am going to try to get a CentOS 5 box up at some point and get the patch going there too. But CentOS 5 is all but EOL at this point, so I might not bother.

  12. #12
    Join Date
    Oct 2004
    Posts
    627
    I see there is a option "disable_symlinks if_not_owner" on Nginx admin (cpanel's nginx add-on), will it help on symlink issue for apache2.4?

Similar Threads

  1. Kernel Based Symlink Protection (SymlinksIfOwnerMatch )
    By Steven in forum Hosting Security and Technology
    Replies: 38
    Last Post: 08-03-2014, 04:14 PM
  2. Apache Symlink Protection Discussion - tpe-kmod
    By Steven in forum Hosting Security and Technology
    Replies: 44
    Last Post: 06-08-2013, 12:51 PM
  3. Apache Symlink Disable
    By tetrahost in forum Hosting Security and Technology
    Replies: 12
    Last Post: 04-25-2013, 05:34 PM
  4. symlink on cpanel/WHM apache patch
    By irfan-EyHost in forum Hosting Security and Technology
    Replies: 6
    Last Post: 04-05-2013, 11:35 PM
  5. doing symlink with apache
    By Maikon in forum Dedicated Server
    Replies: 2
    Last Post: 03-08-2011, 11:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •