No symlink protection detected
cPanel Security Advisor showing error No symlink protection detected after switched our sites to MPM:Event from prefork because Starting from Apache 2.4.27, the Apache MPM (Multi-Processing Module) prefork no longer supports HTTP/2. But we have enabled FollowSymLinks and SymLinksIfOwnerMatch. Please let me know that how to fix.
47823
-
Hello, Could you post a screenshot of the specific warning message you see in "WHM >> Security Advisor"? Thank you. 0 -
Hello, Could you post a screenshot of the specific warning message you see in "WHM >> Security Advisor"? Thank you.
Screenshot from Security Advisor. 47827 No symlink protection detected You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.0 -
Hello, It's likely you were using DSO with Mod_Ruid2 before switching MPMs. The DSO handler requires the MPM Prefork Apache module, so you'd need to use an alternate method of symlink protection if you want to continue using mod_http2. You can find a list of options at: Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation Thank you. 0 -
Now I am not using DSO with Mod_Ruid2. I am using mod_mpm_event with FastCGI
I am referring to the handler you used before switching from the Prefork MPM to the Event MPM. Ruid2 offers symlink protection, so when you moved away from DSO, you lost the Ruid2 protection. Thank you.0 -
I am referring to the handler you used before switching from the Prefork MPM to the Event MPM. Ruid2 offers symlink protection, so when you moved away from DSO, you lost the Ruid2 protection. Thank you.
So what the symlink protection who are not using Ruid2 protection? FollowSymLinks and SymLinksIfOwnerMatch are not have symlink protection? 478310 -
Hello, No, that area isn't for symlink protection. You'd need to use one of the options documented at: Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation Let us know if you have any questions about this document. Thank you. 0 -
Hello, I'm not referring to any specific method of protection against symlink attacks. There are several methods you can use that are documented on the URL referenced in my last response. The BlueHost patch is one of those methods, but ensure to review the considerations for that option at: Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation Thank you. 0 -
Where i can put this code ?
You'd actually just browse to "WHM Home >> Service Configuration >> Apache Configuration >> Global Configuration" and scroll down to the bottom to enable "Symlink Protection" if you want to use this option. The manual method is only intended for cPanel versions prior to cPanel 62.Then does cPanel hardened kernel support on CentOS 7 64-bit systems?
No, the cPanel-hardened kernel is only available on CentOS 6 systems, so that's not a viable solution in your case. Thank you.0 -
You'd actually just browse to "WHM Home >> Service Configuration >> Apache Configuration >> Global Configuration" and scroll down to the bottom to enable "Symlink Protection" if you want to use this option. The manual method is only intended for cPanel versions prior to cPanel 62.
OK, I do enable "Symlink Protection" but why not image showing from URL (/image/iDxIv) after enabled "Symlink Protection"?0 -
OK, I do enable "Symlink Protection" but why not image showing from URL (/image/iDxIv) after enabled "Symlink Protection"?
Do you notice any specific output to /usr/local/apache/logs/error_log when the images fail to load? Thank you.0 -
You'd actually just browse to "WHM Home >> Service Configuration >> Apache Configuration >> Global Configuration" and scroll down to the bottom to enable "Symlink Protection" if you want to use this option. The manual method is only intended for cPanel versions prior to cPanel 62.
Yes, I have enabled "Symlink Protection" then why I am still getting email from Security Advisor notifications? New Security Advisor notifications with Medium importance
Type: Medium, Module: Apache, Advice: Apache Symlink Protection: the Bluehost provided Apache patch is in effect It appears that the Bluehost provided Apache patch is being used to provide symlink protection. This is less than optimal. Please review Symlink Race Condition Protection.0 -
Hello, That notification is accurate. The option you enabled is called the "Bluehost" patch and while it offers symlink race condition protection, it's less than optimal. You can ignore that warning message, or switch to another solution such as using CloudLinux: Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation Thank you. 0
Please sign in to leave a comment.
Comments
15 comments