Default Cpanel Server installation have Symlink Vulnerability, that allow hacker to hack other sites hosted on the server once he have gained access to one of the web sites by creating Symlink.
There are several solutions for this problem, including custom kernal by cpanel, but that was only available in CentOS 7, even for CentOS 7, it was not kept updated all the time.
Best solution so far is to use CloudLinux, but this will cost extra $10 to $14 per month per server. This is fine for shared hosting providers, but if you only host few of your own sites and don’t want the features CloudLinux offer, you have no go with less secure options.
Recently CloudLinux made their Symlink protection path available for everyone FREE. This patch can be installed for CentOS 6 and 7.
To install Symlink protection patch, run
curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash
Install it with
kcarectl --set-patch-type free --update
Edit file /etc/sysconfig/kcare/sysctl.conf
On Cpanel Servers
fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 99
On Non Cpanel Servers, add
fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 48
Now run (or reboot the system)
sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=48