Is Symlink Race Condition Protection Needed on a Non-Shared Server?

[celiac101]

I am trying to beef up security on my server, and hopefully not slow it down, as it is very busy.

I operate a dedicated server, and with the exception of temporary FTP/cpanel access to certain sites on the server, I am the only person who has access to the server, and any sites on it. In my case, do I need to worry about Symlink Race Condition Protection?

 

[cPanelMichael]

Hello @celiac101,

You can find discussion of this topic at:

How important is symlink protection?

With the availability of KernelCare's Free Patch Set, which includes KernelCare Free Symlink Protection, I don't see a reason not to protect your system against symlink attacks:

Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

Thank you.

 

[celiac101]

I don't see an answer to my question in that thread, but it looks like if I control all sites on my server, which I do, then the only way I need to worry about Symlink is if one of those sites gets hacked, is that correct?

PS - The reason not to run it is the warning about slow performance. I want fast performance.

 

[cPanelMichael]

Hello @celiac101,

That's correct, in your case the benefit would relate to it's ability to protect the other websites on your system in the event one was exploited. Also, note the slow performance warning only extends to the Bluehost patch. The other documented patches/solutions will not slow the performance.

Thank you.

 

[celiac101]

Great, I applied the patch and hope it won't slow things down (I'll report it here if it does).

Second question moved to it's own thread - New Thread - Apache vhosts are not segmented

 

[a305587]

Sorry to bring up an old thread but since I have the exact same question I didn't think it made sense to start a new one.

I am on a VPS and my sites are segmented into their own cPanels. The WHM message behind SymLink Protection states:

Symlink Protection [?]
This directive enables symlink protection in order to reduce the impact of race conditions if you enable the FollowSymlinks and SymLinksIfOwnerMatch Apache directives.
If one or both of those directives are not in effect this directive will have unexpected behavior so it is highly recommended to leave it off in that case.
The checks this directive performs can have significant performance impacts on the server. We strongly recommend that you do not enable this feature unless you absolutely require it.

Like the original poster, I'm the only person with access to the server and speed is of the utmost importance. Also between CSF, cPHulk, and WordFence we have the sites and server locked down pretty well.

The warning messages attached to the Symlink option give me pause. Is this something I should enable or not? Hmm. What do you recommend? If the sites are on their own cPanels, is the Symlink attack still a threat?

Thank you.