Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

No symlink protection detected

Discussion in 'Security' started by Nirjonadda, Jul 19, 2017.

  1. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    418
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    cPanel Security Advisor showing error No symlink protection detected after switched our sites to MPM:Event from prefork because Starting from Apache 2.4.27, the Apache MPM (Multi-Processing Module) prefork no longer supports HTTP/2. But we have enabled FollowSymLinks and SymLinksIfOwnerMatch. Please let me know that how to fix.


    Screenshot_42.png
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you post a screenshot of the specific warning message you see in "WHM >> Security Advisor"?

    Thank you.
     
  3. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    418
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Screenshot from Security Advisor.

    Screenshot_43.png

     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's likely you were using DSO with Mod_Ruid2 before switching MPMs. The DSO handler requires the MPM Prefork Apache module, so you'd need to use an alternate method of symlink protection if you want to continue using mod_http2. You can find a list of options at:

    Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

    Thank you.
     
  5. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    418
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Now I am not using DSO with Mod_Ruid2. I am using mod_mpm_event with FastCGI
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I am referring to the handler you used before switching from the Prefork MPM to the Event MPM. Ruid2 offers symlink protection, so when you moved away from DSO, you lost the Ruid2 protection.

    Thank you.
     
  7. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    418
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    So what the symlink protection who are not using Ruid2 protection? FollowSymLinks and SymLinksIfOwnerMatch are not have symlink protection?

    upload_2017-7-20_18-9-5.png
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  9. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    418
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm not referring to any specific method of protection against symlink attacks. There are several methods you can use that are documented on the URL referenced in my last response. The BlueHost patch is one of those methods, but ensure to review the considerations for that option at:

    Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

    Thank you.
     
  11. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    418
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator

    Then does cPanel hardened kernel support on CentOS 7 64-bit systems?

    To enable the patch manually, set the following directives:

    Code:
    SymlinkProtect On|Off
    SymlinkProtectRoot /var/www/html
    Where i can put this code ?
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You'd actually just browse to "WHM Home >> Service Configuration >> Apache Configuration >> Global Configuration" and scroll down to the bottom to enable "Symlink Protection" if you want to use this option. The manual method is only intended for cPanel versions prior to cPanel 62.

    No, the cPanel-hardened kernel is only available on CentOS 6 systems, so that's not a viable solution in your case.

    Thank you.
     
  13. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    418
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    OK, I do enable "Symlink Protection" but why not image showing from URL (/image/iDxIv) after enabled "Symlink Protection"?
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Do you notice any specific output to /usr/local/apache/logs/error_log when the images fail to load?

    Thank you.
     
  15. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    418
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Yes, I have enabled "Symlink Protection" then why I am still getting email from Security Advisor notifications?

     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page