Add KernelCare’s Free Symlink Protection
I have just upgraded OS to Rocky8
OS
When I run cPanel Security Advisor I get the following:
Kernel does not support the prevention of symlink ownership attacks.
You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.
Add KernelCare’s Free Symlink Protection.
This free patch set protects your system from symlink attacks. Add KernelCare’s Free Patch Set. Add KernelCare’s Free Symlink Protection. NOTE: This is not the full KernelCare product and service.
You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.
A KernelCare update is available.
You must take one of the following actions to ensure the system is up-to-date:
- Patch the kernel (run “kcarectl --update” on the command line).
- Update the system (run “yum -y update” on the command line), and reboot the system.
----
However, when I run the kcarectl --update in ssh, I get "downloading updates" and then "complete". When I restart the server and re-run the security advisor, I get the exact same message. It appears symlink protection has not been added.
If I click on the "Add KernelCare’s Free Symlink Protection." in whm, it navigates to "https://serveraddress:2087/cpsess7608784606/scripts13/add_kernelcare_free_symlink_protection" and just reloads the security advisor page with the same warning messages.
-
cPRex I opened a ticket on this last year: #95279186 - your techs concluded it was "usual behaviour for kernel care" but the point is, this system is broken if it is "usual behaviour" but yet, keeps nagging people to do something about it. So your interface is broken and does not work - at the very least it needs attention to remove the nag.
0 -
pkiff - so it sounds like you aren't seeing any issues?
I'm honestly a bit confused at this point as to what you're all still seeing.
0 -
Sorry for the confusion. It's been a bit of a moving target for me because I keep updating software then re-testing, and then comparing my two systems.
Summary:
On AlmaLinux 8, I've not really had issues and I'm running latest releases of everything.
On RockyLinux 9, I now only have a single (probably false positive) notification left.
More details:
On RockyLinux 9, I originally had issues that were the same as others in the thread - including initially getting blank screens when I tried to install the free KernelCare via the link in the Security Advisor notice - and including getting a not authorized error when running the recommended command line script to update.
But then yesterday, after a system update on my RockyLinux system, I uninstalled KernelCare and started over. That time, things went more or less the way I think cPanel understands that they should at the moment:
- first, using the link from Security Advisor to install the free KernelCare worked for the first time for me, though there were still multiple warnings afterwards left in Security Advisor
- then, running the update via the command line also worked for the first time for me on RockyLinux, and the system reported that the kernel was safe for the first time.What remains on that system now is just the single warning notification: "Kernel does not support the prevention of symlink ownership attacks." which I assume is a false positive that will eventually go away.
Oh, also, on that same RockyLinux system with the note about my Kernel not supporting prevention, I also have, under the Verified section in green, a checkmark that "KernelCare is installed and current running kernel version is up to date: 5.14.0-503.31.1.el9_5".
0 -
Thanks for that - let me do some testing and I'll let you know what I find!
0 -
Any chance you could make a ticket for this one? I'm having trouble to get a test server to fail in this specific manner.
0 -
I'm slow returning to this issue, but I did finally get my hosting provider to create a ticket in cPanel Support for this:
#95664725cPanel Support made a config change yesterday by enabling the Symlink Protection option in Apache Global Configuration. But I don't think that resolves the issue?
The "Kernel does not support...." warning is now gone, but I have a new notification that "Apache Symlink Protection: the Bluehost provided Apache patch is in effect " I understood from the current documentation that cPanel recommends disabling the built-in Apache symlink protection when the free KernelCare symlink protection is enabled?:
"If you install either option, disable the Symlink Protection option in the Global Configuration section of WHM’s Apache Configuration interface"
I can't see the ticket because it is being managed through my hosting provider, so don't know what communication has taken place.But I'm hoping someone can take another look?
0 -
Unfortunately I'm not able to comment on tickets except with the person that opened them, so I can't say anything here about that. If things still aren't working how you expect you'll need to work with the provider directly.
0 -
OK, understood. I think maybe I'll just close that ticket then, since my provider is not able to figure things out either. Next time I set up a server maybe I'll get one with a direct cPanel license - having an intermediary for support tickets is not really functional support for me.
0 -
A quick FYI followup on this for other cPanel users running Rocky Linux 9, today I have a new notification in Security Advisor:
A KernelCare update is available.
You must take one of the following actions to ensure the system is up-to-date:
Patch the kernel (run “kcarectl --update” on the command line).
Update the system (run “yum -y update” on the command line), and reboot the system.When I run `kcarectl --update` I get an error:
The IP ##.##.##.## was already used for a trial license on YYYY-MM-DD
or I get:
HTTP Error 401: Unauthorized: http....When I run `kcarectl --set-patch-type free --update` I get an error:
'free' patch type is unavailable for your kernelI can see from the KernelCare Patch site that there was indeed a patch released yesterday for my kernel. Presumably, though, the patch is not yet available to free users. So I'm just going to wait for a while (days? weeks? who knows?) until the patch becomes installable.
In this case, my guess is that the error from Security Advisor is once again incorrect: there is not a patch yet available for free users, it is only available for paid users at the moment.
0 -
Look, I'm not saying our up to date AlmaLinux 9.x server got attacked because of this security warning.
Synopsis:
- 100+ sites on the same server
- One user had 8 sites, 4 active WordPress sites
- WordPress got attacked, could be WP Bakery, could be Revolution Slider, who knows
- Hard evidence of symlink scanning for `.env` `.conf`, and of course `wp-config.php`
- The attacker signature is 20+ thousand scanned files of 404.txt ending with symlink to these config files "fox.txt".
What I am saying is:
> There is no workaround at this time. The Security Advisor warning can be safely ignored.
0 -
Vander Host Management - would you be able to submit a ticket so we can examine your specific situation?
0 -
As far as I can tell, the error seems to come from wether there is a patch applied or not. I have a server which ran an older version of the kernel which had a patch available and the symlink error didn't show. However, after updating the kernel (which doesn't have any patches available) and rebooting, I now have it in the security advisor.
This is also true for server with the EXTRA patch set.
I am unsure if this means that the newest kernel doesn't get the symlink protection until a patch is provided or not but this looks like you shouldn't update to the latest kernel :/
//Geoffrey
0
Please sign in to leave a comment.
Comments
42 comments