Which is better Webserver for Symlink protection?

DewlanceVPS

DewlanceVPS

Verified User
Joined
Oct 3, 2016
Messages
106
Hello,

I want to use better protection for Symlink.

Which is better for Symlink protection?
- Apache
- Nginx
- OpenLiteSpeed


I love DA :)

Thanks,
Kunnu
 
This? Kernelcare?

link to free protection:
https://www.cloudlinux.com/kernelcare-blog/entry/symlink-protection-patchset-centos-6-7-kernelcare

A symlink race attack is frequently used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to others. This patchset helps protect against such attacks.

I have full kernelcare running on my DA without issue.

Also in options.conf [FONT=&quot]harden_symlinks_patch[/FONT]

I love DA to..

Try this out and report back...
 
Last edited:
The only reason symlink is an issue is because people do not reset permissions on their config files and sensitive files to the proper permissions.

A wp-config.php with 644 permissions still has world read-able permission, meaning anyone on the server could read the file.

Changing the permissions on this to 600 or 400 would insure that only the owner of the file has read/write or read permissions.

This is stated as such at:

https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php

But few people ever actually read this.

The same is true for any config file that stores any sensitive information.

Granted, most end-users aren't going to understand what any of this means. But just because it's difficult to grasp, doesn't mean it's not a good thing to know.
 
sparek said:
The only reason symlink is an issue is because people do not reset permissions on their config files and sensitive files to the proper permissions.

A wp-config.php with 644 permissions still has world read-able permission, meaning anyone on the server could read the file.

Changing the permissions on this to 600 or 400 would insure that only the owner of the file has read/write or read permissions.

This is stated as such at:

https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php

But few people ever actually read this.

The same is true for any config file that stores any sensitive information.

Granted, most end-users aren't going to understand what any of this means. But just because it's difficult to grasp, doesn't mean it's not a good thing to know.
Click to expand...
All true and I even have that article posted on my Knowledgebase. I run everything though my wife...as she is a User just for fun. She said "I just want it to work" "does this mean it doesn't work" "my website is up and I can see it".:rolleyes:

Like they say an Ounce of Prevention is worth a Pound of Cure.
 
I tried Kernelcare but still readable and normal account can see /etc, other folder.
 
DewlanceVPS said:
I tried Kernelcare but still readable and normal account can see /etc, other folder.
Click to expand...

You are confusing Kernelcare with CageFS or a chroot'd jail shell.

Kernelcare is not going to provide that level of service.
 
Well... as far as I know... the answer is no - at least natively with DirectAdmin.

The broader question here would be... what application are you seeing this in?

For example, PHP-FPM has a per pool chroot environment option available. Granted... you'd have to create this chroot'd environment - for each user - since DirectAdmin does not natively have such a thing (that I am aware of). And this will only apply itself in PHP and specifically if you use php-fpm as your PHP to web server connector. But that's probably going to protect you for 99% of the cases.
 
You must log in or register to reply here.
Back
Top