How to avoid or prevent Symlink Attack .

Symlink Security issue is one of the critical problem of the any web hosting.

Here you can find , how attacker uses synlink to attack on your web site

For Instance ,

Attacker uses a perl / pythone scripts or uses a cron job symbalic link of top level directory ”/” typing: “ln -s / anydir” to gain the access of the file.

How to prevent symlink attack ?

There are many symlink attack solution are flowing over the internet. Here you will find comprehensive solution for this attack. We would like recommend the filesystem level solution and kernal + apache solution as given below.

1) Installation of CageFS : CloudLinux

CloudLinux is integrated with Apache (suexec, suPHP, mod_fcgid, mod_fastcgi) . This is core feature which will help you to avoid symlink attacks. You will have good control over your system. You can find here installation of the CageFS Cloud Linux here .

2) Jail Apache Virtual Hosts Via mod_ruid2 and cPanel Jailshell

When you enable this option from security tab from the WHM then, this action will run Apache virtual hosts in a chrooted environment.To enable this option you find the steps here

3) Kernal Patch solution :

To use this patch you required custom kernal and installation knowledge.

+config GRKERNSEC_SYMLINKOWN
+   bool "Kernel-enforced SymlinksIfOwnerMatch"
+   default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
+   help
+     Apache's SymlinksIfOwnerMatch option has an inherent race condition
+     that prevents it from being used as a security feature.  As Apache
+     verifies the symlink by performing a stat() against the target of
+     the symlink before it is followed, an attacker can setup a symlink
+     to point to a same-owned file, then replace the symlink with one
+     that targets another user's file just after Apache "validates" the
+     symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+     race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+     will be in place for the group you specify. If the sysctl option
+     is enabled, a sysctl option with name "enforce_symlinksifowner" is
+     created.

 

The above solution is recommend by the grsecurity

4) Install Secure link for apache :

The way it works, it makes sure that the file that will be served by Apache is owned by the same user, as the owner of VirtualHost. We pick up the owner of virtual host from SuexecUserGroup directive.
This makes the protection unbreakable via any race conditions, hard links or symbolic links.

How to install Secure Link for apache

These are the answer for how to prevent symlink attack .

Of course you don’t have to worry about your security issues,if uses one of the plans from Linux shared web hosting. Hostripples security team is already know the issues and countermeasures.

PS. If you liked this post please share it with your friends on the social network