The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache vhosts are not segmented or chroot()ed. | No symlink protection detected

Discussion in 'Security' started by mbressman, Jan 25, 2015.

  1. mbressman

    mbressman Active Member

    Joined:
    Jan 31, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    I'm a relative newbie when it comes to server administration (at least insofar as cPanel/WHM) compared to many others. (I have been running my own Ubuntu servers for some time now, but also "cheat" a little by using Webmin and getting help online.) Recently, I had to move from a shared/reseller hosting platform to a VPS at a different company (running Xen/CentOS 6) because I got fed up with all the restrictions that were arbitrarily (at least to me) being implemented on the shared platfirm with no upfront notification (which ended up breaking things). Now I'm on a managed VPS, and the company offering it has been extremely helpful, but ultimately I understand how I proceed is up to me (and I also want to learn and understand as I move forward).

    I've gone through the WHM panel pretty thoroughly now, and want to ensure that my VPS is fully configured and protected before I deploy it to my clients (and for my own purposes as well). To that end, I ran the Security Advisor, and while a few of the items that popped up are understandble (i.e. SSH password authentication is enabled, SSH direct root logins are permitted, The pseudo-user “nobody” is permitted to send email, Outbound SMTP connections are unrestricted, etc.), there are one or two that I'm running into difficulties deciding how to proceed on:

    - Apache vhosts are not segmented or chroot()ed.
    Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”

    - No symlink protection detected
    You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.

    It seems that for the first one (Apache vhosts are not segmented or chroot()ed.), my options are:
    - continue to leave things as is, using suPHP (and I presume jailed shells also since that is configured under "Managed Shell Access" already as jailed)
    - move to mod_ruid2 (under EasyApache) and DSO (under Configure PHP and suEXEC) and then possibly enable that "Experimental" mod_ruid2 jailed shell option under "Tweak Settings" (or maybe not and just move to mod_ruid2 and DSO?)
    - move to CloudLinux and CageFS (which I understand is a whole different OS from CentOS, and yet isn't that hard to switch to, although I believe I'd have additional monthly costs then)

    Is that an accurate understanding of my options? Can anyone advise on which one might be the best? Basically, I want to ensure all "normal" things work on my VPS (i.e. Joomla websites, WordPress websites, email, etc.), but also want to make sure it's secure so that I don't run into disasters down the road. I haven't really deployed anything on it yet, and want to make sure it's fully configured and secure before doing so (but also want to make sure when I do so, everything works). Any help on this is greatly appreciated.

    And then for the second one I'm unsure about (No symlink protection detected), I'm also not sure how to proceed. I'm not quite clear on whether the changes I might make above would have an impact on resolving this issue, or if I need to resolve this issue, or if there is something else to be done? I know there is something called Apache Symlink Protection or Symlink Race Condition Protection or something else similar (maybe those are two different things?), but not sure how to implement, how it applies, and what it might do exactly. Any help with this is greatly appreciated also!

    Thanks very much!

    P.S. Is CloudLinux and CageFS the recommended method (over CentOS) of running WHM/cPanel in a secure environment (while still allowing full functionality for websites, etc.)? If so, I might just bite the bullet and do that even if it costs more money, but does it function in much the same way as CentOS? And if I've made some customizations (such as installing Webmin, installing VPN to access Webmin, installing a remote access client, customizing CSF to allow all of these, etc.), will these all still work? Thanks!
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    CloudLinux is basically just modifications to CentOS. Aside from mainly hosting-related and security optimizations, it's still a CentOS server and functions the same.

    If you plan on hosting multiple sites, the symlink race condition protection is the bare minimum. If you want to be more secure, cloudlinux/cageFS is a good way to go for hosting. Rest assured plenty of people host all the common CMSes on CloudLinux servers.
     
  3. mbressman

    mbressman Active Member

    Joined:
    Jan 31, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the info - greatly appreciated!

    It seems like my best move here is to go with CloudLinux - already contacted my VPS hosting provider to find out how to proceed with that. Is this something I need to purchase through my hosting provider, or can I purchase directly from CloudLinux and install myself?

    A few follow-up questions:
    1) Once I install CloudLinux, how do I install/enable CageFS (presumably to do what I'm being instructed in the cPanel Security Advisor message above)?
    2) Do I need to move to mod_ruid2 and DSO with CloudLinux? Or can I just leave EasyApache's configuration the way it is now (and presumably stay with suPHP also)?
    3) If I go with CloudLinux, do I need to do anything with symlink race condition protection in order to rectify the other cPanel Security Advisor message, or will CloudLinux/CageFS take care of that as well?

    Thanks!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page