Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

No symlink protection detected

Discussion in 'Security' started by Nirjonadda, Jul 19, 2017.

  1. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    597
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    cPanel Security Advisor showing error No symlink protection detected after switched our sites to MPM:Event from prefork because Starting from Apache 2.4.27, the Apache MPM (Multi-Processing Module) prefork no longer supports HTTP/2. But we have enabled FollowSymLinks and SymLinksIfOwnerMatch. Please let me know that how to fix.


    Screenshot_42.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,712
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you post a screenshot of the specific warning message you see in "WHM >> Security Advisor"?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    597
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Screenshot from Security Advisor.

    Screenshot_43.png

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,712
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's likely you were using DSO with Mod_Ruid2 before switching MPMs. The DSO handler requires the MPM Prefork Apache module, so you'd need to use an alternate method of symlink protection if you want to continue using mod_http2. You can find a list of options at:

    Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    597
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Now I am not using DSO with Mod_Ruid2. I am using mod_mpm_event with FastCGI
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,712
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I am referring to the handler you used before switching from the Prefork MPM to the Event MPM. Ruid2 offers symlink protection, so when you moved away from DSO, you lost the Ruid2 protection.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    597
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    So what the symlink protection who are not using Ruid2 protection? FollowSymLinks and SymLinksIfOwnerMatch are not have symlink protection?

    upload_2017-7-20_18-9-5.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,712
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    597
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,712
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm not referring to any specific method of protection against symlink attacks. There are several methods you can use that are documented on the URL referenced in my last response. The BlueHost patch is one of those methods, but ensure to review the considerations for that option at:

    Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    597
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator

    Then does cPanel hardened kernel support on CentOS 7 64-bit systems?

    To enable the patch manually, set the following directives:

    Code:
    SymlinkProtect On|Off
    SymlinkProtectRoot /var/www/html
    Where i can put this code ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,712
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You'd actually just browse to "WHM Home >> Service Configuration >> Apache Configuration >> Global Configuration" and scroll down to the bottom to enable "Symlink Protection" if you want to use this option. The manual method is only intended for cPanel versions prior to cPanel 62.

    No, the cPanel-hardened kernel is only available on CentOS 6 systems, so that's not a viable solution in your case.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    597
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    OK, I do enable "Symlink Protection" but why not image showing from URL (/image/iDxIv) after enabled "Symlink Protection"?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,712
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Do you notice any specific output to /usr/local/apache/logs/error_log when the images fail to load?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    597
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Yes, I have enabled "Symlink Protection" then why I am still getting email from Security Advisor notifications?

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,712
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice