Symlink race condition protection

Wiched

Registered
Oct 13, 2015
2
0
51
Bulgaria
cPanel Access Level
Root Administrator
The last 2 errors in the Security Advisor are

1. No symlink protection detected
2. SSH direct root logins are permitted.

For the second one i've limited shhd to my ip address, i disabled user shell access and connect only trough key. Is that a sufficient way or is there better for security?

Now on to my main question. I've read couple of threads here about symlink protection.
I use WHM on CentOS 7. The problem is easy apache 2.2 + mod_ruid2 dosn't support CentOS 7 and Apache 2.4 which is supported doesn't work with mod_ruid2.

Can you help me with ideas how to fix this issue.

Best regards
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463
Hello,

Now on to my main question. I've read couple of threads here about symlink protection.
I use WHM on CentOS 7. The problem is easy apache 2.2 + mod_ruid2 dosn't support CentOS 7 and Apache 2.4 which is supported doesn't work with mod_ruid2.
The following is a list of the preferred solutions:

Cloudlinux SecureLinks
Cloudlinux CageFS
Grsecurity Kernel Symlink Protection
LitespeedTech
Mod_Ruid2

Note that internal case EA-4430 will allow for the combined use of Mod_Security and Mod_Ruid2/mod_mpm_itk, despite the minor bugs currently associated with using them together.

For the second one i've limited shhd to my ip address, i disabled user shell access and connect only trough key. Is that a sufficient way or is there better for security?
That's generally sufficient, but the warning message is suggesting you authenticate as another user first, and then use sudo or su to access "root".

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463
Hello,

To update, the following case is now published as part of EasyApache 4:

814b990: EA-4632 - Remove mod_mpm_itk and mod_ruid2 conflicts

The full change log is documented at:

EasyApache 4 Change Log - EasyApache 4 - cPanel Documentation

Note the DBM issues persist, but we no longer prevent users from enabling both modules at the same time.

Thank you.