HostOnNet Blog

Free Symlink Protection From CloudLinux

Default Cpanel Server installation have Symlink Vulnerability, that allow hacker to hack other sites hosted on the server once he have gained access to one of the web sites by creating Symlink.

There are several solutions for this problem, including custom kernal by cpanel, but that was only available in CentOS 7, even for CentOS 7, it was not kept updated all the time.

Best solution so far is to use CloudLinux, but this will cost extra $10 to $14 per month per server. This is fine for shared hosting providers, but if you only host few of your own sites and don’t want the features CloudLinux offer, you have no go with less secure options.

Recently CloudLinux made their Symlink protection path available for everyone FREE. This patch can be installed for CentOS 6 and 7.

To install Symlink protection patch, run

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Install it with

kcarectl --set-patch-type free --update

Edit file /etc/sysconfig/kcare/sysctl.conf

vi /etc/sysconfig/kcare/sysctl.conf 

On Cpanel Servers

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99

On Non Cpanel Servers, add

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48

Now run (or reboot the system)

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Posted in CentOS